Vulnerabilities: CVE import and what they link to

The Import by CVE ID box on the Vulnerabilities page calls the NIST NVD API v2.0 to fetch the official description, CVSS base score, CVSS vector string, and publication dates. Paste a CVE ID (e.g. CVE-2024-1234) and click Import — a new vulnerability row is created with severity auto-derived from the CVSS score.

After import, link it to the rest of your data. A vulnerability record has three optional pointers:

• asset_id — which asset is affected. Joins to your asset inventory.
• control_id — which control either compensates for it (preventive) or failed to catch it (detective).
• risk_id — the registered risk this vulnerability falls under, so the risk's residual picture stays honest.

A vuln without these links is a database row. A vuln with them is a tractable remediation item that shows on the right people's dashboards.

Results are cached for 24h to stay within NVD rate limits.