CVE and CCE lists
The CVE & CCE Lists view allows you to import downloaded CVE and CCE lists and display the imported lists in tabular format. Once imported, the content of these lists populates the Properties windows of the rules contained in a package or the rules of a scan result, to provide the available information about the CVEs and CCEs the rule contains.
- CCE (Common configuration Enumeration) lists provide unique identifiers to security-related system configuration issues in order to improve workflow by facilitating fast and accurate correlation of configuration data across multiple information sources and tools. BMC Client Management currently supports the NVD CCE V2.0 Schema with CCE to 800-53 Mappings.
If this list is not installed, the CCE identifiers are extracted from the XCCDF rules but not populated. For example, if you use USGCB (Windows 7) with the CCE list, then the CCE list is installed and displayed on the Compliance Management > SCAP Compliance > Configuration > CVE & CCE Lists node and the properties box displays additional information pulled from the CCE list content. If you don't use CCE list then the CCE list is not installed and the extra information is not displayed.
Both of these lists are part of the existing open standards used by NIST in its Security Content Automation Protocol (SCAP) program. Both lists help, through the use of consistent identifiers, to improve data correlation; enable interoperability; foster automation; and ease the gathering of metrics for use in situation awareness, IT security audits, and regulatory compliance. CVE provides this capability for information security vulnerabilities, CCE assigns a unique, common identifier to a particular security-related configuration issue.
The view shows the following information about the imported lists, which are referenced by the SCAP rules and in visualizing the SCAP job results:
The name of the imported file.
The type of the list, that is, if it is a CVE or CCE list.
The date at which the list was imported into the CM database.
The date at which this specific list was made publicly available by its owning organism.
The number of entries, that is, vulnerabilities or configurations that the list includes.