Question: how to search fresh data in a RAG system by description alone
This comes from someone building a RAG system for cybersecurity that looks up CVE (security ) records. Because the CVE database keeps growing, the system fetches the latest records live from NIST's NVD API instead of pre-loading everything into a .
When a user asks about a CVE by its exact ID, the API lookup works fine. The problem arises when a user only gives a description, like "a buffer overflow in XYZ software allowing ," and the matching CVE was published after the LLM's — in that case the model has no way to know which CVE ID to look up.
So before the system can even query the NVD API, it first needs a way to identify the correct CVE from free-text description alone. The poster is asking how s typically solve this: , over recent CVEs, rerankers, or some other retrieval strategy.
Key points
- CVE records (public software listings) update constantly, so the system queries NIST's NVD API live instead of storing everything in a
- Looking up a CVE by exact ID works fine via the API, but a free-text description of a newer than the LLM's can't be matched to any CVE ID
- This means an extra retrieval step (, , or a reranker) is needed before the API call, to first identify which CVE the description refers to
- No concrete solution is given yet — the post is purely asking how s handle this