h2-vulnerability-db 2.0.2

AppThreat's vulnerability database and package search library with a built-in file based storage. OSV, CVE, GitHub, npm are the primary sources of vulnerabilities.

Introduction

This repository contains a vulnerability database and a package search for OSV, NVD, GitHub, and NPM sources. Data on vulnerabilities is downloaded from the sources and stored in a custom file-based storage system with indexes that enables offline access and quick searches.

Installation

pip install h2-vulnerability-db

Usage

This package is ideal as a vulnerability management library. This is how h2-depscan, a dependency auditing tool, works. However, a limited cli capability with few features is available for testing this tool directly.

Cache vulnerability data

Cache from all sources

vdb --cache

Cache from just OSV

vdb --cache --only-osv

It is possible to customise the cache behaviour by increasing the historic data period to cache by setting the following environment variables.

• NVD_START_YEAR - Default: 2016. Supports upto 2002
• GITHUB_PAGE_COUNT - Default: 5. Supports upto 20

Periodic sync

To periodically sync the latest vulnerabilities and update the database cache.

vdb --sync

Basic search

It is possible to perform simple search using the cli.

vdb --search android:8.0

vdb --search google:android:8.0

vdb --search android:8.0,simplesamlphp:1.14.11

Syntax is package:version,package:version or vendor : package : version (Without space)