CVE and CCE lists

The CVE & CCE Lists view allows you to import downloaded CVE and CCE lists and display the imported lists in tabular format. Once imported, the content of these lists populates the Properties windows of the rules contained in a package or the rules of a scan result, to provide the available information about the CVEs and CCEs the rule contains.

• CVE (Common Vulnerabilities and Exposures) is a dictionary of common names (that is, CVE Identifiers) for publicly known information security vulnerabilities. CVE is now the industry standard for vulnerability and exposure names. CVE Identifiers provide reference points for data exchange so that information security products and services can speak with each other. You can download the CVE List, copy it, redistribute it, reference it, and analyze it, provided you do not modify CVE itself. For more information about CVE and their terms of Use refer to the CVE website .
• CCE (Common configuration Enumeration) lists provide unique identifiers to security-related system configuration issues in order to improve workflow by facilitating fast and accurate correlation of configuration data across multiple information sources and tools. For more information about CCE and their terms of Use refer to the CCE website .

Both of these lists are part of the existing open standards used by NIST in its Security Content Automation Protocol (SCAP) program. Both lists help, through the use of consistent identifiers, to improve data correlation; enable interoperability; foster automation; and ease the gathering of metrics for use in situation awareness, IT security audits, and regulatory compliance. CVE provides this capability for information security vulnerabilities, CCE assigns a unique, common identifier to a particular security-related configuration issue.

The view shows the following information about the imported lists, which are referenced by the SCAP rules and in visualizing the SCAP job results: