An Investigation into Vulnerability Databases

Brian Schweigler. An Investigation into Vulnerability Databases. Bachelor’s thesis, University of Bern, May 2020. Details.

Abstract

The vulnerability databases’ affiliations and contributions are non-trivial and have not yet been studied in depth. This raises a major concern regarding the correctness of the data used in numerous existing studies. To investigate this problem, we first collected publicly available data from the websites of five major database providers, and then we normalized and correlated the individual entries to track them within different vulnerability databases. 370,298 security reports were extracted, 89% of which were accessible at more than one provider. Surprisingly, many reports were inconsistent with respect to scores and detail descriptions. In the scoring system CVSS version 3.0, for example, we found on average a difference of 0.8 on NVD and Snyk, whereas CVSS version 2.0 remains largely consistent with a difference of only 0.1 between NVD and RAPID7. Furthermore, we discovered that the security-related popularity differs for widely used software, and we show that shared code bases but not library usages can be predicted by aggregating security reports over periods of time. Finally in visualizations, software release cycles become visible.

Posted by scg at 25 May 2020, 1:47 pm link
Last changed by admin on 21 April 2009