Central Vulnerability Database (CVDB) is a source-agnostic vulnerability data repository that consolidates and enriches vulnerability records from multiple security sources into a single, authoritative view. Prior to CVDB, integrations would directly override fields on vulnerability records or create only placeholder entries — when a higher-quality source reported on the same CVE, existing data could be silently overwritten. CVDB replaces this with a configurable, priority-based enrichment framework.
CVDB uses a two-tiered priority system to resolve multi-source conflicts:
Source-level priority determines default precedence across all fields (e.g., NVD > scanners)
Field-level priority overrides source defaults for specific fields (e.g., CISA KEV takes precedence for exploit status, while NVD remains authoritative for CVSS scores)
Each integration source’s raw data is preserved in dedicated source-specific tables, while the consolidated CVDB record reflects the highest-priority value for each field. A field update history tracks exactly which source last updated every field, providing full data provenance.
CVDB serves as the centralized hub that integration plugins feed into via the CVDUtil API. Supported upstream sources include NVD, EUVD, JVN, CISA KEV, EPSS, Microsoft Defender TVM, Prisma Cloud, Qualys, Veracode, GitHub, Black Duck, and Wiz. Downstream consumers — Vulnerability Response, Container Security, and SBOM Response — leverage enriched CVDB data for remediation workflows.
- Priority-Based Data Enrichment — Two-tiered priority system (source-level and field-level) automatically resolves conflicts when multiple sources report on the same vulnerability, ensuring the most trusted data wins.
- Extensible Integration Framework — Out-of-the-box support for authoritative databases, vulnerability scanners, and threat intelligence feeds, with configurable source priority for any additional integration via the CVDUtil API.
- Source-Specific Data Preservation — Raw data from each source is stored in dedicated tables, preserving full fidelity while the consolidated CVD record shows the prioritized view.
- Field Update Tracking — Audit trail of which source last updated each field on every CVD record, enabling transparency and troubleshooting of data provenance.
- Non-CVE to CVE Mapping — Automatically handles non-CVE identifiers (EUVD, JVNDB) by mapping them to CVE records when assignments become available, deactivating duplicate entries.
- CVDB Overview Workspace Tab — Consolidated view of CVDB record details including CVSS scores, EPSS data, exploit status, references, affected software, and CWE classifications.
Initial release of the Central Vulnerability Database (CVD) plugin. The CVDB plugin introduces a centralized, priority-based vulnerability data management with support for multi-source enrichment. Key capabilities include:
- Two-tiered priority-based conflict resolution across data sources.
- Source-specific data preservation without overwriting original inputs.
- Field-level update history tracking for full auditability.
- Support for both CVE and non-CVE vulnerability records.
- The CVDB also provides out-of-the-box integration with European and Japanese vulnerability data sources, enabling broader global coverage and enrichment.
- Vulnerability Response (sn_vul)
- Security Common (sn_sec_cmn)
Individual integration plugins (NVD, Qualys, Prisma, etc.) are optional and required only for their respective data sources.