Updated with ENISA CNW KEV import
and a table of mapping was created to see if we don’t miss anything in the BCP-07 specification:
KEV → BCP-07 Mapping Table
| Concept | CISA KEV (JSON) | ENISA / EUVD KEV (CSV) | GCVE BCP-07 Field | Mapping Rationale |
|---|---|---|---|---|
| Vulnerability identifier | cveID |
CVE (primary), EUVD (secondary) |
vulnerability.vulnId |
CVE preferred when available; EUVD preserved as reference |
| Exploitation claim | Presence in KEV catalog | Presence in KEV catalog | status.exploited = true |
KEV is a binary assertion |
| Assertion authority | Implicit (CISA catalog) | Implicit (ENISA/CNW catalog) | evidence.source |
Explicit attribution (cisa-kev, enisa-cnw-kev) |
| Assertion strength | KEV inclusion | KEV inclusion | status.status_reason = confirmed |
Closest BCP-07 semantic match |
| Date added / reported | dateAdded |
dateReported |
timestamps.asserted_at |
Date the authority declared exploitation |
| First known exploitation | Not provided | Not provided | timestamps.first_seen_at |
Conservatively set equal to asserted date |
| Local ingestion time | Not provided | Not provided | timestamps.recorded_at |
Added by the collector |
| Status update time | dateAdded |
dateReported |
status.status_updated_at |
Only authoritative timestamp available |
| Evidence type | KEV publication | KEV publication | evidence.type |
vendor_report (CISA), csirt_report (ENISA) |
| Exploitation signal | Implicit | exploitationType |
evidence.signal |
ENISA ransomware → confirmed_compromise, otherwise successful_exploitation |
| Confidence | Implicit | Implicit | evidence.confidence |
Fixed conservative defaults (CISA 0.8 / ENISA 0.75) |
| Affected product / vendor | vendorProject, product |
vendorProject, product |
scope.notes |
Preserved as human-readable context only |
| Description / notes | shortDescription, notes |
shortDescription, notes |
scope.notes, evidence.details |
Avoids inventing structured scope |
| Ransomware indicator | knownRansomwareCampaignUse |
exploitationType |
evidence.details |
Retained verbatim for traceability |
| Threat actors | Not provided | threatActorsExploiting |
evidence.details |
No normalization or attribution inferred |
| Geography / sector | Not provided | Not provided (inferred from CNW members?) | Not populated | BCP-07 forbids guessing |
| References | Implicit | Implicit | references[] |
CVE, EUVD, and catalog URLs added |