CVE Metadata Schema

CVEMetadata

Enrichment metadata for a CVE node, sourced from NVD and EPSS.

Field

Description

firstseen

Timestamp of when a sync job first discovered this node

lastupdated

Timestamp of the last time the node was updated

id

The CVE ID (e.g., CVE-2024-22075)

description

The english description of the vulnerability

references

Reference URLs

problem_types

A list of CWE identifiers

effect_tags

Controlled-vocabulary labels for the vulnerability’s technical effect (see below)

effect_tags_source

Provenance of effect_tags: cwe, cvss, or none

cvss_version

The CVSS version used (4.0, 3.1, 3.0, or 2.0)

vector_string

The CVSS vector string

attack_vector

The CVSS attack vector

attack_complexity

The CVSS attack complexity

privileges_required

The CVSS privileges required

user_interaction

The CVSS user interaction

scope

The CVSS scope

confidentiality_impact

The CVSS confidentiality impact

integrity_impact

The CVSS integrity impact

availability_impact

The CVSS availability impact

base_score

The CVSS base score

base_severity

The CVSS severity (CRITICAL, HIGH, MEDIUM, LOW)

exploitability_score

The CVSS exploitability score

impact_score

The CVSS impact score

published_date

The date the CVE was published

last_modified_date

The date the CVE was last modified

vuln_status

The vulnerability analysis status

is_kev

Whether this CVE is in the CISA KEV catalog (indexed)

cisa_exploit_add

Date added to CISA KEV catalog (if applicable)

cisa_action_due

CISA remediation due date (if applicable)

cisa_required_action

CISA required remediation action (if applicable)

cisa_vulnerability_name

CISA vulnerability name (if applicable)

epss_score

EPSS probability of exploitation (0.0-1.0)

epss_percentile

EPSS percentile ranking (0.0-1.0)

effect_tags

effect_tags answers “what does this vulnerability let an attacker do?” using a small controlled vocabulary, each value anchored to a MITRE ATT&CK tactic / CWE Common Consequence:

Tag

Anchor

execute-code

ATT&CK Execution / “Execute Unauthorized Code or Commands”

gain-privileges

ATT&CK Privilege Escalation / “Gain Privileges or Assume Identity”

access-credentials

ATT&CK Credential Access / “Read Application Data (credentials)”

bypass-control

ATT&CK Defense Evasion / “Bypass Protection Mechanism”

disclose-data

“Read Files or Directories” / “Read Application Data”

tamper-data

ATT&CK Impact / “Modify Application Data”

deny-service

ATT&CK Impact / “DoS: Crash, Exit, or Restart / Resource Consumption”

Derivation runs at ingest with strict precedence, so a node draws from exactly one source (recorded in effect_tags_source):

  1. CWE (cwe) — preferred. Union of effects mapped from the node’s CWEs via the in-repo CWE_EFFECT_TAGS table (cartography/intel/cve_metadata/effect_tags.py). Uninformative CWEs (NVD-CWE-noinfo, NVD-CWE-Other, generic pillars like CWE-707/CWE-20) contribute nothing.

  2. CVSS (cvss) — fallback only when stage 1 yields nothing, derived from the decomposed CVSS metrics. A “high” C/I/A impact means HIGH on v3/v4 or COMPLETE on v2: high confidentiality_impactdisclose-data, high integrity_impacttamper-data, high availability_impactdeny-service, plus a coarse “straight-shot” (attack_vector=NETWORK + privileges_required=NONE + user_interaction=NONE + high integrity_impact) →execute-code. Degrades gracefully across CVSS versions (the straight-shot rule is skipped on v2, which lacks privileges_required / user_interaction).

  3. none (none) — no usable CWE and no usable CVSS: effect_tags=[].

CVEMetadataFeed

Represents the CVE metadata enrichment feed. Used as a sub-resource for lifecycle management.

Field

Description

firstseen

Timestamp of when a sync job first discovered this node

lastupdated

Timestamp of the last time the node was updated

id

Feed identifier (CVE_METADATA)

source_nvd

Whether NVD enrichment was enabled for this sync

source_epss

Whether EPSS enrichment was enabled for this sync

Relationships

  • A CVEMetadata enriches a CVE

    (:CVEMetadata)-[:ENRICHES]->(:CVE)
    
  • A CVEMetadataFeed is the resource for CVEMetadata nodes

    (:CVEMetadataFeed)-[:RESOURCE]->(:CVEMetadata)