CAST HIGHLIGHT - SCA - When a new CVE is identified in the NVD database, will it get reflected automatically in Highlight's OSS calculations? – CAST

When a new CVE is identified in the National Vulnerability Database (NVD) from NIST, it will not be reflected in the existing Highlight OSS calculations automatically. A rescanning of the application and a reupload of the CSV results is required to update existing OSS calculations.

CAST Highlight's CVE database is updated with new entries from the NVD database every 24 hours. Users can also get to know about the new CVE's if they have subscription to the CVE notifications to decide on their application rescan. Subscription to the CVE notifications entitles automated email notifications from CAST Highlight about newly reported vulnerabilities across an application portfolio. Automated Email Notifications of New Component Vulnerabilities

A CVE status flag in the form of a blue pill shows the count of the newly discovered vulnerabilities, to help users to quickly identify new vulnerabilities discovered after the rescan and upload of the results, To know more about the blue pill with the count of new vulnerabilities please refer How to manage third-party components and vulnerabilities in SCA results

Solution

After the application is scanned and the results (CSV files) uploaded and processed by the platform then only CVEs are detected and the results displayed. If new CVE updates from the NVD database are to be taken into account in OSS calculation then there is a need to re-calculate the score by

1. Re-scanning the application.

2. Re-submitting the application results. Re-calculate the scores for the entire portfolio.

References

To know about how CAST Highlight’s SCA database cross-references NIST's National Vulnerability Database (NVD) to detect 150+ thousand known vulnerabilities of the 118+ million Open Source components it lists by crawling various forges such as Github, GitLab, Maven Central, NPM, NuGet, RubyGem, Packagist, etc Since October 2021 CAST Highlight also detects CVEs from the Gitlab Advisories Community. Please refer How Open Source component detection works

NB :

cvedb is refreshed with NVD information every hour (https://services.nvd.nist.gov/rest/json/cves/2.0)
cvedb is refreshed with CISA's KEV information every hour (https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json)
SCA/SAM database is not polled periodically; processing occurs mainly at scan upload time.
CVE data is refreshed frequently and resolved dynamically, but component identity and version mapping are fixed at scan processing time. Since component resolution is done at scan upload time and CVE data updates can happen dynamically afterward, this may result in inconsistencies.
An extraneous CVE will persist if the underlying component or version mapping is incorrect, since CVE updates do not re-evaluate component resolution.
There are no standard automatic post-upload triggers to reprocess SAM data; re-evaluation generally requires a new scan upload.
If there is a 429 response from the API, there is a retry mechanism. Stricter rate limiting can produce 429 errors; while they usually self-resolve, partial processing may occasionally require a re-scan. When an application result is complete, it means that all retries finally succeeded.
OSS Security score is not updated automatically when CVE data changes - see above for resolution
The OSS Obsolescence score is computed dynamically against current component versions; a scan from six months ago will reflect today’s version gap, not the gap at the time of the scan.