Central Vulnerability Database

  • Release version: Australia
  • Updated March 28, 2026
  • 4 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Central Vulnerability Database

    The Central Vulnerability Database (CVDB) is a unified vulnerability data repository designed to consolidate and enrich vulnerability records from multiple security sources into a single authoritative view. It addresses the challenge of conflicting data from different integrations by applying a configurable, priority-based enrichment framework that preserves source fidelity while highlighting the most authoritative data for each vulnerability field.

    Show full answer Show less

    CVDB replaces previous models where integrations would overwrite fields or create placeholders, enabling ServiceNow customers to achieve full visibility and trust in the vulnerability data used for their security exposure and response workflows.

    How CVDB Works

    • CVDB serves as a centralized hub fed by integration plugins through the CVDUtil API, which manages priority-based ingestion and updates.
    • Raw data from each source is stored in dedicated source-specific tables, maintaining full data fidelity.
    • The consolidated CVDB record shows the highest-priority value for each field, with a field update history that provides traceable data provenance.
    • A two-tier priority system resolves conflicts:
      • Source-level priority sets default precedence between sources (e.g., NVD generally takes precedence over scanners).
      • Field-level priority allows overrides for specific data fields (e.g., threat intelligence sources may override exploit status fields).

    Supported Sources and Integrations

    CVDB supports a wide variety of authoritative vulnerability databases, enterprise vulnerability scanners, and application security tools including but not limited to:

    • Authoritative databases: NVD, EUVD, JVN, CISA KEV, EPSS
    • Vulnerability scanners: Microsoft Defender Vulnerability Management, Palo Alto Prisma Cloud, Qualys, Wiz
    • Application security tools: Veracode, GitHub, Black Duck

    These integrations enable enriched, accurate vulnerability records that can be leveraged within ServiceNow Vulnerability Response, Container Security, and SBOM Response for effective remediation workflows.

    Key Features

    • Priority-based field configuration: Managed through the Source Configurations table, defining which source’s data populates each field, preventing silent overwrites.
    • Source-specific attribute tables: Maintain detailed, source-specific enrichment data separately, referenced in consolidated records.
    • CVDUtil API: Central API for ingesting and updating vulnerability data, enforcing priority and field-level rules, supporting multi-CVE mappings, references, and exploit records.
    • Field update tracking: Audit trails for transparency on which source last updated each field, aiding troubleshooting and compliance.
    • Handling of non-CVE identifiers: CVDB supports non-CVE vulnerability databases by mapping these to CVE records as they become available and deactivating duplicates.
    • CVDB Overview workspace tab: Provides a consolidated view of vulnerability details including CVSS scores, EPSS data, exploit status, affected software, and CWE classifications.

    Benefits for ServiceNow Customers

    • Eliminates data conflicts and silent overwrites by applying a transparent, priority-driven enrichment strategy.
    • Ensures customers use the most trusted and authoritative vulnerability data across their security exposure and response workflows.
    • Supports comprehensive integration with leading vulnerability intelligence and scanning tools, enriching vulnerability records for better decision-making.
    • Preserves raw data from all sources, enabling auditability and detailed analysis of vulnerability records.
    • Facilitates effective remediation by consolidating and prioritizing vulnerability information, improving security posture management.

    The Central Vulnerability Database (CVDB) is a source-agnostic vulnerability data repository that consolidates and enriches vulnerability records from multiple security sources into a single, authoritative view. Use CVDB to eliminate conflicting data across your vulnerability integrations and gain full visibility into which source is authoritative for each field.

    Before CVDB, integrations would directly override fields on vulnerability records or create only placeholder entries. When a higher-quality source reported on the same Common Vulnerabilities and Exposures (CVEs), existing data could be silently overwritten. CVDB replaces this with a configurable, priority-based enrichment framework that preserves source fidelity while surfacing the most authoritative data for each field.

    How Central Vulnerability Database works

    CVDB acts as a centralized hub that integration plugins feed into via the CVDUtil API. Each integration source's raw data is preserved in dedicated source-specific tables. The consolidated CVDB record reflects the highest-priority value for each field, and a field update history tracks exactly which source last updated every field, providing full data provenance (a traceable record of where each field value came from).

    CVDB uses a two-tier priority system to resolve conflicts when multiple sources report on the same vulnerability:

    • Source-level priority: Determines default precedence across all fields. For example, NVD takes precedence over scanner sources by default.
    • Field-level priority: Overrides source-level defaults for specific fields. For example, Vulnerability Intelligence fields such as Mandiant or Recorded Future takes precedence for exploit status, while NVD remains authoritative for CVSS scores.

    Supported sources

    CVDB supports a broad ecosystem of upstream sources spanning authoritative vulnerability databases, enterprise scanners, and threat intelligence feeds:

    • Authoritative databases: NVD, EUVD, JVN, CISA KEV, EPSS
    • Vulnerability scanners: Microsoft Defender Vulnerability Management, Palo Alto Prisma Cloud, Qualys, Wiz
    • Application security tools: Veracode, GitHub, Black Duck

    Vulnerability Response, Container Security, and SBOM Response leverage enriched CVDB data for remediation workflows.

    CVDB includes a priority configuration for ingesting CVEs. The Vulnerabilities Entries table (sn_vul_nvd_entry_LIST) now supports non-CVE vulnerability databases. When CVEs become irrelevant, alternative sources such as EUVD and JVN can be used to populate the sn_vul_nvd_entry table.

    Viewing vulnerability sources

    To view the vulnerability sources:
    1. Navigate to Workspaces > Security Exposure Management.
    2. In the left navigation, select List.
    3. Under Lists, navigate to Libraries > Vulnerabilities.
    In the Libraries - Vulnerabilities List page, a new Sources column is added, which displays all the sources that have enriched a given CVE. Even if NVD produces a CVE without enrichment, other sources such as Microsoft Defender Vulnerability Management, Qualys, and Mandiant can be used to enrich the CVE record.

    Priority-based field configuration

    Fields are no longer overridden directly. The updated model uses priority-based configuration to define which source provides which field value. This configuration is managed through the Source Configurations [sn_sec_cvd_source_config_list.do] table.

    To access Source Configurations, enter sn_sec_cvd_source_config.LIST in the Filter Navigator. Multiple sources that provide CVE information are listed here, each assigned a priority. NVD holds the highest priority, followed by other registered sources.

    Source-specific attribute tables

    A separate table is maintained for each source, containing attributes specific to that source that enrich CVE records. Rather than writing enrichment data directly to the NVD table, source-specific tables are added as references in CVE records. These tables can be found in sys_db_object_list.do. Attributes from different sources can then be selected within the NVD Entries table [sn_vul_nvd_entry_list.do].

    CVDUtil API

    CVDUtil is the central API for ingesting vulnerability data into the NVD entries table. It applies priority-based processing to determine which source fields are written to the record.

    All NVD table ingestion must go through the CVDUtil API. This API enforces priority configurations and ensures that field-level rules are respected during record creation and updates.

    The primary method is createOrUpdateCVD. When called, it performs the following operations:

    • Checks the configured source priorities to determine which source may override specific fields.
    • Runs process enrich with payload to apply enrichment data according to priority rules.
    • Runs process source-specific fields to handle fields that belong exclusively to individual sources. The payload accepts a source field as a separate key.

    When a non-CVE vulnerability source maps to multiple CVEs, pass the related CVE identifiers through the cvdlist parameter. The API will link the CVD record to all specified CVEs. References and exploit records can also be ingested through this API.

    Construct the payload using CVDUtil first, then use it to insert the record. Vulnerability score values can come from different sources. You can configure which source to prioritize for score assignment, determining which score value takes precedence.

    Key capabilities

    Priority-based data enrichment
    A two-tier priority system (source-level and field-level) automatically resolves conflicts when multiple sources report on the same vulnerability, ensuring the most trusted data wins.
    Extensible integration framework
    Includes out-of-the-box support for authoritative databases, vulnerability scanners, and threat intelligence feeds. Additional integrations can be configured with custom source priority via the CVDUtil API.
    Source-specific data preservation
    Raw data from each source is stored in dedicated tables, preserving full fidelity while the consolidated CVD record presents the prioritized view.
    Field update tracking
    An audit trail records which source last updated each field on every CVD record. This enables transparency and troubleshooting of data provenance.
    Non-CVE to CVE mapping
    Automatically handles non-CVE identifiers by mapping them to CVE records when assignments become available. Duplicate entries are deactivated.
    CVDB Overview workspace tab
    A consolidated workspace view displays CVDB record details. This includes CVSS scores, EPSS data, exploit status, references, affected software, and CWE classifications.