AppThreat's vulnerability database and package search library with a built-in sqlite based storage. OSV, CVE, GitHub, npm are the primary sources of vulnerabilities.
Project description
Introduction
This repo is a vulnerability database and package search for sources such as AppThreat vuln-list, OSV, NVD, and GitHub. Vulnerability data are downloaded from the sources and stored in a sqlite based storage with indexes to allow offline access and efficient searches.
Why vulnerability db?
A good vulnerability database must have the following properties:
Multiple upstream sources are used by vdb to improve accuracy and reduce false negatives. SQLite database containing data in CVE 5.0 schema format is precompiled and distributed as files via ghcr to simplify download. With automatic purl prefix generation even for git repos, searches on the database can be performed with purl, cpe, or even http git url string. Every row in the database uses an open specification such as CVE 5.0 or Package URL (purl and vers) thus preventing the possibility of vendor lock-in.
Vulnerability Data sources
- Linux vuln-list (Forked from AquaSecurity)
- OSV (1)
- NVD
- GitHub
1 - We exclude Linux and oss-fuzz feeds by default. Set the environment variable OSV_INCLUDE_FUZZ
to include them.
Linux distros
- AlmaLinux
- Debian
- Alpine
- Amazon Linux
- Arch Linux
- RHEL/CentOS
- Rocky Linux
- Ubuntu
- OpenSUSE/SLES
- Photon
- Chainguard
- Wolfi OS
Installation
pip install appthreat-vulnerability-db>=6.0.1
To install vdb with optional dependencies such as oras
use the [oras]
or [all]
dependency group.
pip install appthreat-vulnerability-db[all]
NOTE: VDB v6 is a major rewrite to use sqlite database. Current users of depscan v5 must continue using version 5.6.x
pip install appthreat-vulnerability-db==5.6.7
Usage
This package is ideal as a library for managing vulnerabilities. This is used by owasp-dep-scan, a free open-source dependency audit tool. However, there is a limited cli capability available with few features to test this tool directly.
Option 1: Download pre-built database (Recommended)
To download a pre-built sqlite database (refreshed every 6 hours) containing all application and OS vulnerabilities. This step is recommended for all users.
# pip install appthreat-vulnerability-db[all]
vdb --download-image
You can execute this command daily or when a fresh database is required.
Option 2: Download pre-built database (ORAS)
Using ORAS cli might be slightly faster.
export VDB_HOME=$HOME/vdb
oras pull ghcr.io/appthreat/vdbxz:v6 -o $VDB_HOME
tar -xvf *.tar.xz
rm *.tar.xz
Use any sqlite browser or cli tools to load and query the two databases.
data.index.vdb6 - index db with purl prefix and vers
data.vdb6 - Contains source data in CVE 5.0 format stored as a jsonb blob.
Option 3: Manually create the vulnerability database (ADVANCED users)
Cache application vulnerabilities
vdb --cache
The typical size of this database is over 1.1 GB.
Cache application and OS vulnerabilities
vdb --cache-os
Note the size of the database with OS vulnerabilities is over 5 GB.
Cache from just OSV
vdb --cache --only-osv
It is possible to customize the cache behavior by increasing the historic data period to cache by setting the following environment variables.
- NVD_START_YEAR - Default: 2018. Supports up to 2002
- GITHUB_PAGE_COUNT - Default: 2. Supports up to 20
CLI Usage
usage: vdb [-h] [--clean] [--cache] [--cache-os] [--only-osv] [--only-aqua] [--only-ghsa] [--search SEARCH] [--list-malware] [--bom BOM_FILE]
AppThreat's vulnerability database and package search library with a built-in sqlite based storage.
options:
-h, --help show this help message and exit
--clean Clear the vulnerability database cache from platform specific user_data_dir.
--cache Cache vulnerability information in platform specific user_data_dir.
--cache-os Cache OS vulnerability information in platform specific user_data_dir.
--only-osv Use only OSV as the source. Use with --cache.
--only-aqua Use only Aqua vuln-list as the source. Use with --cache.
--only-ghsa Use only recent ghsa as the source. Use with --cache.
--search SEARCH Search for the package or CVE ID in the database. Use purl, cpe, or git http url.
--list-malware List latest malwares with CVE ID beginning with MAL-.
--bom BOM_FILE Search for packages in the CycloneDX BOM file.
--download-image Downloaded pre-created vdb image to platform specific user_data_dir.
CLI search
It is possible to perform a range of searches using the cli.
vdb --search pkg:pypi/xml2dict@0.2.2
# Search based on a purl prefix
vdb --search pkg:pypi/xml2dict
# Full url and short form for swift
vdb --search "pkg:swift/github.com/vapor/vapor@4.39.0"
vdb --search "pkg:swift/vapor/vapor@4.89.0"
# Search by cpe
vdb --search "cpe:2.3:a:npm:gitblame:*:*:*:*:*:*:*:*"
# Search by colon separated values
vdb --search "npm:gitblame:0.0.1"
# Search by CVE id
vdb --search CVE-2024-25169
# Search with wildcard for CVE
vdb --search CVE-2024-%
# Search by git url
vdb --search "https://github.com/electron/electron"
# Search by CycloneDX SBOM
vdb --bom bom.json
List recent malware
To list malware entries with the MAL-
prefix, use the following command.
vdb --list-malware
License
MIT
Discord support
The developers could be reached via the Discord channel for free and paid enterprise support.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for appthreat_vulnerability_db-6.0.5.tar.gz
Algorithm | Hash digest | |
---|---|---|
SHA256 | 829468d17eb28a57ff3c4217a7638a6799786e868ae4de627a6efa5cad8374af |
|
MD5 | ae227b67c2e98ef183d1c03bef767a57 |
|
BLAKE2b-256 | f49cbeb510fb9579e3bb2176ccf00955cbe32530a473a3b52dc48af42bcecffa |
Hashes for appthreat_vulnerability_db-6.0.5-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 564df8716a73c92160d93643fe26b404572a0355b77f95909ac5fd06842f3635 |
|
MD5 | 13fbac28e0b3adad93f9c9c26e66da70 |
|
BLAKE2b-256 | 114f5e5e907716172a44b4bef23c520f7999a888cf41504f6bce2b3cc9385fae |