NVD Data Feed and Product Integration
The entire NVD database can be downloaded from this web page for public use.
There are no licensing restrictions on using this data, however, we would appreciate being given credit
as is appropriate within products, services, and reports that use our data.
SCAP Data Feeds:
CVE vulnerability feeds: security related software flaws
CCE vulnerability feeds: misconfigurations (UNDER DEVELOPMENT)
CPE product dictionary
CVSS vulnerability impact scoring (included within CVE and CCE vulnerability feeds)
SCAP checklists (XCCDF/OVAL)
Additional Data Feeds:
CVE vendor statements
CVE translation feeds (currently provides Spanish translations)
Product Integration Services:
Linking to NVD vulnerability summaries (CVE and CCE)
Integrating security products with the NVD CVSS calculator
Hosting an NVD CVE/CCE search engine on web sites
NVD logo (for placement on third party web sites to link into NVD)
CVE vulnerability feeds: security related software flaws
NVD/CVE XML Feed with CVSS and CPE mappings (version 1.2)
NVD/CVE XML Data Files:
nvdcve-modified.xml
0.2MB, Updated:9/15/08 at 10:28
nvdcve-recent.xml
0.2MB, Updated:9/15/08 at 10:28
nvdcve-2002.xml
10.5MB, Updated:9/10/08 at 18:37
nvdcve-2003.xml
2.9MB, Updated:9/15/08 at 11:08
nvdcve-2004.xml
5.9MB, Updated:9/15/08 at 11:04
nvdcve-2005.xml
9.7MB, Updated:9/15/08 at 10:58
nvdcve-2006.xml
15.8MB, Updated:9/15/08 at 10:46
nvdcve-2007.xml
13.5MB, Updated:9/15/08 at 10:26
nvdcve-2008.xml
7.5MB, Updated:9/15/08 at 10:10
nvdcve-modified.xml includes all recently published and recently updated vulnerabilities
nvdcve-recent.xml includes all recently published vulnerabilities
nvdcve-2002.xml includes vulnerabilities prior to and including 2002.
Note: The product data in the NVD has been modified to improve the data quality and to use the CPE 2.1 format. Please refer to the product mapping for a translation of historic product references to new CPE based references. Legacy CVE XML Feeds are available, these feeds contain data last updated on 09/05/2008.
NVD/CVE XML Schema File:
nvdcve.xsd
Software to Parse NVD XML:
This section contains references to third party software that parses NVD XML files.
We make no claim or warranty regarding this software and do not support it.
We suggest that you review the source code. Use this code at your own risk.
Purdue University (CERIAS)
http://homes.cerias.purdue.edu/~pmeunier/nvd_xml_parser.txt
NVD/CVE RSS Feeds
NVD provides two RSS 1.0 data feeds. The first feed provides information on all recent CVE vulnerabilities.
The second feed provides only fully analyzed CVE vulnerabilities. The advantage of the latter is that we
are able to provide vulnerable product names in the title. The advantage of the former is that you learn
about new CVE vulnerabilities as soon as possible.
nvd-rss.xml (provides all CVE vulnerabilities)
nvd-rss-analyzed.xml (provides all fully analyzed CVE vulnerabilities)
Note: the latter feed provides the same vulnerabilities as the former but the entries are slightly delayed and have more information
CPE Product Dictionary
NVD has adopted the
Common Platform Enumeration
(CPE) standard for vendor and product naming.
The NVD
CPE product dictionary is available here.
Old NVD Product Dictionary Output Format:
nvd_dictionary.txt
2MB, Updated:4/30/08 at 01:55
(WARNING!! This dictionary has been REPLACED by the NVD CPE implementation and will be deleted in the near future)
Official Vendor Statements on CVE Vulnerabilities
NVD provides a service whereby software development organizations can submit
"Official Vendor Statements" on the set of CVE vulnerabilities that apply to
their products. Organizations can submit statements by contacting NVD staff
at
nvd@nist.gov. More information is provided on the
vendor statement page.
The set of statements can be downloaded from the following XML feed.
vendorstatements.xml (version 1.1, updated every 2 hours)
NVD/CVE Translated XML Feed (version 1.0)
NVD provides an XML feed for translations of CVE vulnerabilities into other languages.
Currently,
Inteco (the Spanish government) is translating vulnerabilities into Spanish.
Inteco is solely responsible for the Spanish translation content.
NVD/CVE Translated XML Data Files (this feed will soon be augmented with additional translation information):
nvdcve-modifiedtrans.xml
0.1MB, Updated:9/15/08 at 23:37
nvdcve-2002trans.xml
0.4MB, Updated:9/16/08 at 00:01
nvdcve-2003trans.xml
0.4MB, Updated:9/16/08 at 00:01
nvdcve-2004trans.xml
0.4MB, Updated:9/16/08 at 00:02
nvdcve-2005trans.xml
0.2MB, Updated:9/16/08 at 00:02
nvdcve-2006trans.xml
2.1MB, Updated:9/16/08 at 00:03
nvdcve-2007trans.xml
3.6MB, Updated:9/16/08 at 00:05
nvdcve-2008trans.xml
2.2MB, Updated:9/16/08 at 00:06
nvdcve-modifiedtrans.xml includes all recent translations and recently updated translations
nvdcve-2002trans.xml includes translations for vulnerabilities prior to and including 2002.
NVD/CVE Translation XML Schema File:
nvdcvetrans.xsd
Linking to NVD vulnerability summaries (CVE and CCE)
Any product containing NVD or CVE data can be integrated with the NVD web site vulnerability summaries.
To link to a particular vulnerability summary, simply use the hyperlink format
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-0322 where "CVE-2001-0322" is replaced with the
name of the vulnerability of interest.
Note that one can leave out the "CVE" prefix and the link still works
(e.g.,
http://web.nvd.nist.gov/view/vuln/detail?vulnId=2001-0322).
Hosting an NVD CVE/CCE Search Engine on Your Web Site
You can place the following NVD keyword search engine on your own web page using the below code:
<FORM ID="searchform" NAME="searchform" METHOD="POST"
ACTION="http://web.nvd.nist.gov/view/vuln/search" target="_blank">
<b>Search for Vulnerabilities</b><br>
<font color="black" size=1 face="Arial">
Enter vendor, software, or keyword</font><br>
<input type=text name="textsearch" size=16>
<input type=SUBMIT name="Go" value="Go">
</form>
NVD logo (for placement on third party web sites to link into NVD)