CVE Metadata Configuration¶
This module enriches existing CVE nodes in the graph with metadata from external sources. Unlike the deprecated CVE module which imports all CVEs from NIST, this module only fetches metadata for CVEs already present in the graph from other modules (e.g., CrowdStrike, Semgrep, SentinelOne).
Data Sources¶
NVD — CVSS scores, descriptions, references, weaknesses, and CISA KEV (Known Exploited Vulnerabilities) data from the NIST NVD API v2.0 when an API key is provided, otherwise from the NVD JSON feeds.
EPSS — Exploit Prediction Scoring System scores from FIRST.org.
Usage¶
No explicit enable flag is needed. Include cve_metadata in your module list or run all modules.
Enrichment order¶
cve_metadata only enriches :CVE nodes that are already present in the graph — it does not create them. Modules that produce :CVE nodes (e.g. CrowdStrike, Semgrep, SentinelOne, Trivy) must run before cve_metadata in the same sync. Running all modules in a single cartography invocation is sufficient: the module ordering in cartography/sync.py places cve_metadata after the CVE-producing modules, so the enrichment pass picks up every freshly ingested CVE.
If you only run cve_metadata in isolation, it will enrich the CVEs from the previous sync and skip the step silently if no :CVE nodes exist yet.
Options¶
Option |
Description |
Default |
|---|---|---|
|
List of metadata sources to enable. Can be specified multiple times. Valid values: |
All sources enabled |
|
Environment variable name holding an NVD API v2.0 key. When set, CVEs are fetched one-by-one via the API (fresher data); otherwise the module downloads yearly JSON feeds. |
None |
Examples¶
Enrich CVEs with all sources:
cartography --cve-metadata-src nvd --cve-metadata-src epss
Enrich CVEs with only EPSS scores:
cartography --cve-metadata-src epss