Overview VulnTrack’s CVE import engine automatically fetches vulnerability data from authoritative sources, enriching your vulnerability database with threat intelligence, CVSS scores, affected systems, and remediation guidance.
NIST NVD Official National Vulnerability Database with comprehensive CVE coverage
VulnCheck Premium threat intelligence with enhanced metadata and KEV tracking
Data Sources The import engine uses a fallback architecture for reliability:
// From src/app/actions/cve.ts:54 export async function importCve ( cveId : string ) { let source = "NIST/CIRCL" let cveData : any = null let isKEV = false // 1. Try VulnCheck (Primary) const vulnCheckResult = await fetchVulnCheckData ( cveId ) if ( vulnCheckResult ) { source = "VulnCheck" cveData = vulnCheckResult // Check CISA KEV catalog isKEV = await checkKEV ( cveId ) } else { // 2. Fallback to Official NIST API console . log ( `Fallback to NIST for ${ cveId } ` ) const nistResult = await fetchNistData ( cveId ) if ( nistResult ) { cveData = nistResult } } if ( ! cveData ) { return { success: false , error: "CVE not found in any database" } } }
If VulnCheck API is unavailable or not configured, the system automatically falls back to NIST NVD. No manual intervention required.
VulnCheck Integration VulnCheck provides enhanced threat intelligence:
// From src/app/actions/cve.ts:9 const VULNCHECK_API_KEY = process . env . VULNCHECK_API_KEY const VULNCHECK_BASE_URL = "https://api.vulncheck.com/v3" async function fetchVulnCheckData ( cveId : string ) { if ( ! VULNCHECK_API_KEY ) return null // Fetch from nist-nvd2 index const response = await fetch ( ` ${ VULNCHECK_BASE_URL } /index/nist-nvd2?cve= ${ cveId } ` , { headers: { 'Accept' : 'application/json' , 'Authorization' : `Bearer ${ VULNCHECK_API_KEY } ` }, next: { revalidate: 3600 } // Cache 1 hour } ) const data = await response . json () return data . data ?.[ 0 ] || null }
KEV Detection Vulnerabilities listed in CISA’s Known Exploited Vulnerabilities catalog represent active threats. VulnTrack automatically flags these and boosts risk scores.
// From src/app/actions/cve.ts:34 async function checkKEV ( cveId : string ) { if ( ! VULNCHECK_API_KEY ) return false const response = await fetch ( ` ${ VULNCHECK_BASE_URL } /index/vulncheck-kev?cve= ${ cveId } ` , { headers: { 'Accept' : 'application/json' , 'Authorization' : `Bearer ${ VULNCHECK_API_KEY } ` }, next: { revalidate: 3600 } } ) const data = await response . json () return data . data && data . data . length > 0 }
NIST NVD Integration The primary fallback source for CVE data:
// From src/lib/cve.ts:1 export async function fetchCveData ( cveId : string ) { try { const response = await fetch ( `https://cve.circl.lu/api/cve/ ${ cveId } ` ) if ( ! response . ok ) return null const data = await response . json () return data } catch ( error ) { console . error ( "Failed to fetch CVE data:" , error ) return null } }
VulnTrack uses the CIRCL.LU mirror of NIST NVD, which provides faster response times and doesn’t require API key authentication for basic queries.
CVE Search The platform includes real-time CVE search:
// From src/app/actions/cve-search.ts:13 export async function searchCVEs ( query : string ) { if ( ! query || query . length < 4 ) { return { success: true , data: [] } } const NIST_BASE_URL = "https://services.nvd.nist.gov/rest/json/cves/2.0" // Check if full CVE ID or keyword search const isCveId = / ^ CVE- \d {4} - \d + $ / i . test ( query ) let url : string if ( isCveId ) { // Direct CVE lookup url = ` ${ NIST_BASE_URL } ?cveId= ${ query . toUpperCase () } ` } else { // Keyword search url = ` ${ NIST_BASE_URL } ?keywordSearch= ${ encodeURIComponent ( query ) } &resultsPerPage=10` } const response = await fetch ( url , { headers: { 'Accept' : 'application/json' , 'apiKey' : NIST_API_KEY // Optional, increases rate limits }, next: { revalidate: 300 } // Cache 5 minutes }) }
Search Capabilities
Direct CVE Lookup : CVE-2024-1234 returns exact matchKeyword Search : apache struts finds related CVEsProduct Search : microsoft windows discovers product vulnerabilities
The import engine extracts comprehensive vulnerability metadata:
CVSS Metrics
Affected Systems
References
// From src/app/actions/cve.ts:92 const metrics = cveData . metrics if ( metrics ?. cvssMetricV31 ) { cvssScore = metrics . cvssMetricV31 [ 0 ]. cvssData . baseScore } else if ( metrics ?. cvssMetricV30 ) { cvssScore = metrics . cvssMetricV30 [ 0 ]. cvssData . baseScore } else if ( metrics ?. cvssMetricV2 ) { cvssScore = metrics . cvssMetricV2 [ 0 ]. cvssData . baseScore }
// From src/app/actions/cve.ts:111 if ( cveData . configurations ) { cveData . configurations . forEach (( config : any ) => { if ( config . nodes ) { config . nodes . forEach (( node : any ) => { if ( node . cpeMatch ) { node . cpeMatch . forEach (( match : any ) => { if ( match . vulnerable && match . criteria ) { // Parse CPE: cpe:2.3:a:vendor:product:version const parts = match . criteria . split ( ':' ) const vendor = parts [ 3 ] const product = parts [ 4 ] const version = parts [ 5 ] !== '*' ? parts [ 5 ] : '' affectedSystems . push ( ` ${ vendor } ${ product } ${ version } ` . trim () ) } }) } }) } }) }
// From src/app/actions/cve.ts:103 if ( cveData . references ) { references = cveData . references . map (( ref : any ) => ({ url: ref . url , source: new URL ( ref . url ). hostname . replace ( 'www.' , '' ) })). slice ( 0 , 5 ) // Limit to top 5 references }
Duplicate Prevention VulnTrack prevents duplicate CVE imports within the same team workspace. Attempting to import an existing CVE will fail gracefully.
// From src/app/actions/vulnerabilities.ts:162 const existingVuln = await prisma . vulnerability . findFirst ({ where: { cveId: data . cveId , teamId: user . teamId } }) if ( existingVuln ) { return { success: false , error: "This CVE has already been imported for your team" } }
Automatic Risk Scoring Imported CVEs receive automatic DREAD scoring:
// From src/app/actions/cve.ts:159 const derivedDread = { damage: Math . min ( 10 , Math . ceil ( cvssScore )), // High CVSS = High Damage reproducibility: 5 , // Default exploitability: isKEV ? 10 : Math . min ( 10 , Math . ceil ( cvssScore )), affectedUsers: 5 , discoverability: 5 , total: 0 // Calculated as average } derivedDread . total = ( derivedDread . damage + derivedDread . reproducibility + derivedDread . exploitability + derivedDread . affectedUsers + derivedDread . discoverability ) / 5
KEV-listed vulnerabilities automatically receive an exploitability score of 10, reflecting active exploitation in the wild.
Default Mitigations Imported vulnerabilities include templated remediation guidance:
// From src/app/actions/vulnerabilities.ts:190 const defaultMitigations = JSON . stringify ([ { step: 1 , title: "Review Vendor Advisory" , desc: "Check official vendor advisory for specific patch instructions" , priority: "High" , eta: "1 day" }, { step: 2 , title: "Apply Security Patches" , desc: "Update affected software to latest secure version" , priority: "Critical" , eta: "3 days" } ])
API Rate Limits NIST NVD : 5 requests per 30 seconds (unauthenticated), 50 requests per 30 seconds (with API key)VulnCheck : Rate limits vary by subscription tier
VulnTrack implements caching to minimize API calls:
fetch ( url , { next: { revalidate: 3600 } // Cache for 1 hour })
Configuration Set environment variables for API access:
# Optional: Enhances rate limits for NIST NVD NIST_API_KEY = your_nist_api_key_here # Optional: Enables VulnCheck premium features VULNCHECK_API_KEY = your_vulncheck_api_key_here
Both API keys are optional. The system works with public NIST data if no keys are configured.
Best Practices
Use CVE IDs When Available : Always link vulnerabilities to official CVE identifiersImport Before Manual Entry : Check CVE databases first to avoid duplicate workReview Affected Systems : Verify auto-detected CPE matches against your actual infrastructureMonitor KEV Status : Set up alerts for newly added KEV vulnerabilitiesUpdate References : CVE data is continuously updated; re-import periodically for latest intel