vulnerability-db
vulnerability-db copied to clipboard
AppThreat
Vulnerability database and package search for sources such as Linux, OSV, NVD, GitHub and npm. Powered by sqlite, CVE 5.0, purl, and vers.
https://access.redhat.com/security/data/csaf/v2/advisories/2023/
While working on a new risk scoring feature for dep-scan, I realized the need for a database for package metadata to prevent querying npm and pypi datasources for each invocation....
Inspired by the Crowdstrike event, where a file containing only zeros got pushed to all users. We need some tests to prevent an empty or corrupted SQLite database from getting...
# Changes - bugfix for #183 to filtering of hits - bugfix for #184 adds other advisory prefixes closes #183 #184
The search_by_cve function uses `"*"` as the version when it calls vers_compare. However, vers_compare does not check for this condition and will therefore return no results when what is desired...
A number of advisory types are absent from the checks to determine which type of search to run. As a result, the search designated is for cpes and turns a...
This may be a Windows bug. When the prebuilt databases are pulled from oras and initialized, it appears they are not extracted correctly. Each is only 8kb and contains a...
Noticed that the app-only database still includes vulnerabilities of type rpm and deb. Example: CVE-2024-6387 https://github.com/AppThreat/vuln-list/blob/main/nvd/2024/CVE-2024-6387.json `cpe:2.3:a:redhat:openshift_container_platform:4.0:*:*:*:*:*:*:*` becomes `pkg:rpm/redhat/openshift_container_platform` based on the vers [type](https://github.com/AppThreat/vulnerability-db/blob/e0e3ec87efa18fb63c57a57c6020301add99fb0f/vdb/lib/config.py#L137). We can further attempt to trim...
Support for oracle linux can be added with relative ease, since the data is already available in the vuln-list repo.