AppThreat's vulnerability database and package search library with a built-in file based storage. OSV, CVE, GitHub, npm are the primary sources of vulnerabilities.
Project description
Introduction
This repo is a vulnerability database and package search for sources such as Aqua Security vuln-list, OSV, NVD, GitHub, and NPM. Vulnerability data are downloaded from the sources and stored in a custom file based storage with indexes to allow offline access and quick searches.
Vulnerability Data sources
- Linux vuln-list (Forked from AquaSecurity)
- OSV (1)
- NVD (2)
- GitHub
- NPM
1 - We exclude linux and oss-fuzz feeds by default. Set the environment variable OSV_INCLUDE_FUZZ to include them.
2 - We exclude hardware (h) by default. Set the environment variable NVD_EXCLUDE_TYPES to exclude additional types such as OS (o) or application (a). An empty value means include all categories. Comma separated values are allowed. Eg: o,h
Linux distros
- AlmaLinux
- Debian
- Alpine
- Amazon Linux
- Arch Linux
- RHEL/CentOS
- Rocky Linux
- Ubuntu
- OpenSUSE/SLES
- Photon
- Chainguard
- Wolfi OS
Installation
pip install appthreat-vulnerability-db
Usage
This package is ideal as a library for managing vulnerabilities. This is used by dep-scan, a free open-source dependency audit tool. However, there is a limited cli capability available with few features to test this tool directly.
Download pre-built database
Use the ORAS cli to download a pre-built database containing all application and OS vulnerabilities.
export VDB_HOME=$HOME/vdb
oras pull ghcr.io/appthreat/vdb:v5 -o $VDB_HOME
Cache vulnerability data
Cache application vulnerabilities
vdb --cache
Typical size of this database is over 1.1 GB.
Cache application and OS vulnerabilities
vdb --cache-os
Note the size of the database with OS vulnerabilities is over 3.1 GB.
Cache from just OSV
vdb --cache --only-osv
It is possible to customise the cache behaviour by increasing the historic data period to cache by setting the following environment variables.
- NVD_START_YEAR - Default: 2018. Supports upto 2002
- GITHUB_PAGE_COUNT - Default: 2. Supports upto 20
Periodic sync
To periodically sync the latest vulnerabilities and update the database cache.
vdb --sync
Basic search
It is possible to perform simple search using the cli.
vdb --search android:8.0
vdb --search google:android:8.0
vdb --search android:8.0,simplesamlphp:1.14.11
vdb --search pkg:pypi/xml2dict@0.2.2
Syntax is package:version,package:version or vendor : package : version (Without space)
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for appthreat_vulnerability_db-5.7.1.tar.gz
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | f1f8b3ce3e3bb6613e094b2462b51911fcb77459227384cddbae0e77a01a6ab5 |
|
| MD5 | 2ce1e825d7cc8d62b9751c4d17dd512b |
|
| BLAKE2b-256 | cc3581489b5d9370c20c371f8f8b05f1ca4f0f3b18c5c146c76618d0b85054b5 |
Hashes for appthreat_vulnerability_db-5.7.1-py3-none-any.whl
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | b6c82869add01262de16ea4dad53cea88c87fcc55af9e0160ed40e518f1307f2 |
|
| MD5 | a2f0cacb575ead3dab5e4d2d3b67202e |
|
| BLAKE2b-256 | 83c8713e400645b0cc0c97f2996d3a5467f2d96a96410b6315c5ceb517cbd1dc |
