CVE Library
AdversaryGraph stores vulnerability intelligence as first-class data so analysts can review strict relationships between:
- APT groups and threat actors
- ATT&CK techniques and tactics
- IOCs and source-backed observables
- CVEs, CVSS score fields, CWE weakness IDs, affected CPEs, and known-exploited status
CVSS is a score and vector field inside each CVE record. The feature and page name is CVE Library.
Feed Sources
The initial implementation uses authoritative public feeds:
| Source | Purpose | Stored Fields |
|---|---|---|
| NVD CVE API 2.0 | CVE records, CVSS, CWE, CPE, references, vulnerability status | CVE ID, description, published/modified dates, CVSS vector/score/severity, CWE IDs, CPE matches, references, raw JSON |
| CISA Known Exploited Vulnerabilities | Known exploited status and required action context | CVE ID, vendor/product, vulnerability name, date added, due date, required action, notes, raw JSON |
NVD_API_KEY is optional. Without it, NVD rate limits are lower.
Storage Model
The CVE module uses normalized tables and keeps the original source payload:
| Table | Role |
|---|---|
cve_sources | Feed status, source labels, last sync time, and sync errors |
cve_records | Normalized CVE, CVSS score, CWE, CPE, KEV fields, and raw JSON |
cve_technique_links | Evidence-backed CVE-to-ATT&CK technique relationships |
cve_ioc_links | Evidence-backed CVE-to-IOC relationships |
cve_actor_links | Evidence-backed CVE-to-APT/group relationships |
Strict Correlation Policy
Stored links are intentionally conservative. The platform creates strong links only when one of these conditions is true:
- the CVE source text or reference explicitly contains an ATT&CK technique ID;
- a local IOC record explicitly contains a CVE ID in its value, description, tags, source URL, or raw enrichment;
- a CVE-tagged IOC already has a source-backed actor relationship, creating a traceable CVE -> IOC -> actor evidence chain;
- an analyst or trusted import flow adds an explicit relationship with source and evidence.
AI can later be used to suggest candidate relationships, but suggested links should not be treated as strong correlation until accepted by an analyst with evidence.
Crosslink Model
The CVE Library exposes bidirectional pivots across the analyst workflow:
| Pivot | Evidence Required | Where It Appears |
|---|---|---|
| CVE -> ATT&CK technique | Explicit ATT&CK ID in CVE source text/reference, or CVE-linked IOC that is already mapped to the technique | CVE detail, technique drawer |
| CVE -> IOC | CVE ID appears in IOC value, description, tags, source URL, or raw enrichment | CVE detail, IOC detail |
| CVE -> APT/group | Direct source-backed actor link, or CVE-linked IOC with an existing actor relationship | CVE detail, ATT&CK Group Library CVEs tab |
Derived paths are shown as paths, for example CVE -> IOC -> actor or CVE -> IOC -> technique, so analysts can see exactly which edge carries the evidence. The platform does not automatically infer CVE -> actor -> every actor technique, because that would overstate the relationship.
API
| Endpoint | Purpose |
|---|---|
GET /api/cve/sources | CVE feed status |
GET /api/cve/library | Search/filter CVE records |
GET /api/cve/{cve_id} | CVE detail with CVSS and strict APT/TTP/IOC links |
GET /api/cve/{cve_id}/graph | Compact CVE correlation graph |
GET /api/cve/related/technique/{attack_id} | CVEs directly or IOC-derived related to a technique |
GET /api/cve/related/actor/{actor_attack_id} | CVEs directly or IOC-derived related to an actor |
GET /api/cve/related/ioc/{indicator_id} | CVEs directly related to an IOC |
POST /api/cve/sync/all | Sync NVD recent CVEs and CISA KEV, then refresh correlations |
POST /api/cve/sync/nvd | Sync recent NVD CVE records |
POST /api/cve/sync/nvd/cve-ids | Enrich specific CVEs from NVD by CVE ID |
POST /api/cve/sync/nvd/missing-cvss | Enrich CVEs that were imported without CVSS score data |
POST /api/cve/sync/kev | Sync CISA KEV |
POST /api/cve/correlate | Rebuild strict local CVE correlations |
POST /api/sync/cve | Central Reference Sync entrypoint |
Analyst Workflow
- Open CVE Library.
- Sync NVD and CISA KEV.
- Filter by CVE ID, product text, weakness, severity, or CISA KEV status.
- Open a CVE and review CVSS score/vector, CWE/CPE context, references, and known-exploited status.
- Review strict ATT&CK, IOC, and actor links.
- Pivot to Navigator, IOC Library, or ATT&CK Group Library for investigation and detection engineering.
Validation Notes
CVE-to-APT correlation is high risk if treated loosely. A CVE being exploited in the wild does not prove a specific actor used it. AdversaryGraph therefore keeps source, evidence, relationship type, and confidence on every link.