Add CVE titles from CVE.org to vulnerability records #34849
Description
customer-faltona Gong snippet: https://us-65885.app.gong.io/call?id=8424385758379815689&highlights=%5B%7B%22type%22%3A%22SHARE%22%2C%22from%22%3A167%2C%22to%22%3A543%7D%5D
Problem
customer-faltona's security team needs to create Jira tickets for CVE remediation work. Currently, they can only use CVE numbers or package names as ticket titles. CVE numbers alone aren't descriptive, and package names are problematic because they don't always exist and multiple CVEs can affect the same package, resulting in confusing duplicate-looking titles. This makes it difficult to quickly understand what vulnerability a ticket addresses.
What have you tried?
Up to this point just a lot of manual work in looking at CVE number reported in Fleet then manually cross-referencing CVE.org or other sources for more context so triage can occur.
Potential solutions
Integrate with CVE.org (the upstream source of truth for CVEs) to pull CVE titles, rather than relying solely on NIST which strips titles from its data feed. Approximately 75% of CVEs have titles available in CVE.org. These titles provide human-readable descriptions (e.g., "netfilter vulnerability" rather than just "CVE-2024-XXXXX").
What is the expected workflow as a result of your proposal?
When a CVE is detected on a host, customer-faltona's security team would see a readable title in Fleet that they can use directly in their Jira tickets. This would make vulnerability tickets immediately understandable without needing to look up CVE details separately. The workflow would be: detect CVE in Fleet → see descriptive title → create Jira ticket with meaningful title → engineering team understands the issue at a glance.