CVE and CCE lists

The CVE & CCE Lists view allows you to import downloaded CVE and CCE lists and display the imported lists in tabular format. Once imported, the content of these lists populates the Properties windows of the rules contained in a package or the rules of a scan result, to provide the available information about the CVEs and CCEs the rule contains.

  • CVE (Common Vulnerabilities and Exposures) is a dictionary of common names (that is, CVE Identifiers) for publicly known information security vulnerabilities. CVE is now the industry standard for vulnerability and exposure names. CVE Identifiers provide reference points for data exchange so that information security products and services can speak with each other. You can download the CVE List, copy it, redistribute it, reference it, and analyze it, provided you do not modify CVE itself. For more information about CVE and their terms of Use refer to the CVE website .
  • CCE (Common configuration Enumeration) lists provide unique identifiers to security-related system configuration issues in order to improve workflow by facilitating fast and accurate correlation of configuration data across multiple information sources and tools. BMC Client Management currently supports the NVD CCE V2.0 Schema with CCE to 800-53 Mappings.
    If this list is not installed, the CCE identifiers are extracted from the XCCDF rules but not populated. For example, if you use USGCB (Windows 7) with the CCE list, then the CCE list is installed and displayed on the Compliance Management > SCAP Compliance > Configuration > CVE & CCE Lists node and the properties box displays additional information pulled from the CCE list content. If you don't use CCE list then the CCE list is not installed and the extra information is not displayed.


Both of these lists are part of the existing open standards used by NIST in its Security Content Automation Protocol (SCAP) program. Both lists help, through the use of consistent identifiers, to improve data correlation; enable interoperability; foster automation; and ease the gathering of metrics for use in situation awareness, IT security audits, and regulatory compliance. CVE provides this capability for information security vulnerabilities, CCE assigns a unique, common identifier to a particular security-related configuration issue.

The view shows the following information about the imported lists, which are referenced by the SCAP rules and in visualizing the SCAP job results:




The name of the imported file.


The type of the list, that is, if it is a CVE or CCE list.

Integration Date

The date at which the list was imported into the CM database.

Publication Date

The date at which this specific list was made publicly available by its owning organism.

Entry Count

The number of entries, that is, vulnerabilities or configurations that the list includes.

Was this page helpful? Yes No Submitting... Thank you