Configuring JSON Support for the NVD Connector

The National Vulnerability Database (NVD) would previously publish their list of vulnerabilities, known as Common Vulnerabilities and Exposures (CVE), in XML format through their CVE XML feed. Recently though, the NVD introduced a JSON feed and announced their XML support will be end-of-lifed on October 9, 2019. As a result, customers must upgrade their NVD Connector to be compatible with the NVD JSON feed. 

Starting September 9, 2019, the JSON 1.1 feed will be available for the NVD connector. Customers must download this feed in order to continue receiving vulnerability information from the JSON feed.

In addition to the JSON feed, customers who upgrade their NVD connector will gain access to the CPE Match Feed. This feed explicitly states which Common Platform Enumerators (CPE) are affected by which CVEs instead of just stating ranges of CPEs, as is often done in the JSON CVE file. This allows for increased accuracy when performing CPE matching.

If customers are upgrading to RiskVision version 9.3 or above, they must upgrade the NVD connector using the steps below. Customers who do not upgrade their RiskVision server must apply the NVD patch which can be received from the Resolver Support Team along with installation instructions. The NVD patch will make the user's NVD connector compatible with the JSON  feed without needing to upgrade the RiskVision server. 

To upgrade the NVD connector:

Unless otherwise stated in one of the below steps, it is good practice to delete the previous connector files.
  1. Navigate to C:\Program Files (x86)\Agiliance\NVD Connector\cfg.

  2. Keep a backup of this folder.

  3. Reinstall the NVD connector.

  4. Open the connector.file.properties file and make sure it matches the file you backed up in step 2.

  5. Set the following properties:

    • SupportedFormatExtensions = .xml,.json

    • cve.fromYear = [insert year connector should start importing datafeeds (e.g. 2002)] This defaults to the year 2002, but it is recommended that you set it to the year before the current year.

    • cve.toYear = [insert year connector should stop importing datafeeds (e.g. 2019)] This defaults to the current year.

    • NvdCveUrl=https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-[YEAR].json.zip (only if requestAutoFeed is set to true)

      • The [YEAR] property will be automatically filled in based on the range of the cve.fromYear and cve.toYear properties.

      • If the requestAutoFeed property is set to true, the connector will contact the NVD website specified in the NvdCveUrl property and download the JSON files. If the property is set to false, any valid JSON file downloaded by the customer can be placed and immediately processed in the following location:  C:\Program Files (x86)\Agiliance\NVD Connector\data\connector.remote.cve\new. This is useful for customers who wish to download their own CVE files.

    • NvdCpeMatchFeedURL=https://nvd.nist.gov/feeds/json/cpematch/1.0/nvdcpematch-1.0.json.zip

      An NVD connector that has been configured for JSON will not run without the Match Feed provided by the above property.
  6. Open the File_wrapper.conf file.
  7. Set the connector's memory as: 
    • wrapper.java.maxmemory=4096MB

      Users may need to increase their RAM by at least 500 MB in order to support this upgrade.
  8. Restart the NVD connector.
  9. To forcefully update the pre-existing vulnerabilities' CVSS scores when upgrading to RiskVision version 9.3 or above: 
    This step can be skipped for any version of RiskVision below 9.3 as those versions do not support CVSS v3.0 scores.
    1. Disable the following RiskVision jobs before importing the NVD data:
      • Vulnerabilities Affected Entities Incremental Updates

      • Vulnerability Risk Score Calculator

      • Vulnerability Risk Score Initiator

      • Vulnerability Summary Update

      • Search Indexes Builder

    2. Navigate to %AGILIANCE_HOME%/config
    3. Open the agiliance.properties file.
    4. Set the following property to true:
      • com.agiliance.agent.nvd.cve.forceUpdate

        If this property is not set to true, the NVD will only be updated if there is a difference between the vulnerability's published date in the JSON file and the vulnerability's published date in the database. Setting the property to true will bring in CVSS v3.0 data for unchanged vulnerabilities. Once this step has been completed, Resolver recommends changing the value back to False.
        CVSS 3.0 scores will not be populated for CVEs prior to 12/20/2015. Some legacy vulnerabilities, however may get updated with CVSS 3.0 scores under special circumstances. Further information on CVSS can be found here.
    5. Set the above property to false and resume the activities from step 9a once the CVSS values have been updated.
  10. To re-authenticate the NVD Connector.
    1. Open the Administration application in RiskVision.

    2. Navigate to Administration > Connectors.

    3. Click on the NVD Connector in the connectors list.

    4. Under the Status section, click Deny Access.

    5. Click Authenticate. NVD will now exclusively download JSON files rather than XML files.

  11. Once the import is done, re-enable the jobs listed in step 9a.