{"id":25045081,"url":"https://github.com/dependencytrack/vuln-db","last_synced_at":"2025-07-04T16:33:16.097Z","repository":{"id":275353167,"uuid":"925828815","full_name":"DependencyTrack/vuln-db","owner":"DependencyTrack","description":"Proof of concept for OWASP Dependency-Track's own, centralized vulnerability database.","archived":false,"fork":false,"pushed_at":"2025-06-09T16:01:09.000Z","size":159,"stargazers_count":8,"open_issues_count":5,"forks_count":0,"subscribers_count":3,"default_branch":"main","last_synced_at":"2025-06-09T16:36:33.143Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"https://github.com/DependencyTrack/dependency-track/issues/4122","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/DependencyTrack.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null},"funding":{"custom":["https://owasp.org/donate/?reponame=www-project-dependency-track\u0026title=OWASP+Dependency-Track"]}},"created_at":"2025-02-01T21:01:38.000Z","updated_at":"2025-06-09T16:01:22.000Z","dependencies_parsed_at":"2025-02-06T05:34:18.993Z","dependency_job_id":"6a2d6cfe-b3c3-4be9-a2ec-ec9a5bfdb397","html_url":"https://github.com/DependencyTrack/vuln-db","commit_stats":null,"previous_names":["nscuro/vuln-db","dependencytrack/vuln-db"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/DependencyTrack/vuln-db","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DependencyTrack%2Fvuln-db","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DependencyTrack%2Fvuln-db/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DependencyTrack%2Fvuln-db/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DependencyTrack%2Fvuln-db/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/DependencyTrack","download_url":"https://codeload.github.com/DependencyTrack/vuln-db/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DependencyTrack%2Fvuln-db/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":263577244,"owners_count":23483130,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-02-06T05:30:49.690Z","updated_at":"2025-07-04T16:33:16.081Z","avatar_url":"https://github.com/DependencyTrack.png","language":"Java","funding_links":["https://owasp.org/donate/?reponame=www-project-dependency-track\u0026title=OWASP+Dependency-Track"],"categories":[],"sub_categories":[],"readme":"# vuln-db\n\n[![License](http://img.shields.io/:license-apache-brightgreen.svg)](http://www.apache.org/licenses/LICENSE-2.0.html)\n\nProof of concept for OWASP Dependency-Track's own, centralized vulnerability database.\n\nRefer to https://github.com/DependencyTrack/dependency-track/issues/4122 for details.\n\n## Concept\n\n```mermaid\nflowchart LR\n A@{ shape: circle, label: \"Start\" }\n B@{ shape: fork, label: \"Fork\" }\n C@{ shape: fork, label: \"Join\" }\n Z@{ shape: dbl-circ, label: \"Stop\" }\n GH[\"Import GitHub\"]\n NVD[\"Import NVD\"]\n OSV[\"Import OSV\"]\n OTH[\"Import ...\"]\n MR[\"Merge source\u003cbr/\u003edatabases\"]\n PR[\"Procure\"]\n EN[\"Enrich\"]\n style OTH stroke-dasharray: 5 5\n style EN stroke-dasharray: 5 5\n A --\u003e B\n B --\u003e GH\n B --\u003e NVD\n B --\u003e OSV\n B --\u003e OTH\n GH --\u003e C\n NVD --\u003e C\n OSV --\u003e C\n OTH --\u003e C\n C --\u003e MR\n MR --\u003e PR\n PR --\u003e EN\n EN --\u003e Z\n```\n\n## Usage\n\n### Importing\n\n```shell\ndocker run -it --rm \\\n -e 'GITHUB_TOKEN=\u003cyour_github_token\u003e' \\\n -v \"$(pwd):/workspace\" \\\n -w '/workspace' \\\n ghcr.io/dependencytrack/vuln-db:snapshot \\\n import github nvd osv\n```\n\nThis will populate the following database files in parallel:\n\n* `github.sqlite`\n* `nvd.sqlite`\n* `osv.sqlite`\n\n### Merging\n\n```shell\ndocker run -it --rm \\\n -v \"$(pwd):/workspace\" \\\n -w '/workspace' \\\n ghcr.io/dependencytrack/vuln-db:snapshot \\\n merge --output=all.sqlite github.sqlite nvd.sqlite osv.sqlite\n```\n\n### Scanning\n\n\u003e [!WARNING]\n\u003e Not fully implemented, don't expect useful results yet.\n\nTo get a rough idea of the data quality in a database, it can be leveraged\nto scan a CycloneDX Bill of Materials. The implementation of this command\nis also intended to showcase how matching logic may work.\n\n```shell\ndocker run -it --rm \\\n -v \"$(pwd):/workspace\" \\\n -w '/workspace' \\\n ghcr.io/dependencytrack/vuln-db:snapshot \\\n scan --ensure-indexes --database=all.sqlite bom.json\n```\n\n## Data model\n\nThe following describes the current data model for source databases. \nThe model of the database that eventually is distributed to Dependency-Track instances will likely differ.\n\n\u003e [!WARNING]\n\u003e The model is experimental and may change frequently. Please let us know if you have suggestions to improve it.\n\nA primary concern of the model is to track what data point was reported by which source. \nWe can only make educated decisions as to which source to trust, or what data to prioritize, if we have a complete picture.\n\n```mermaid\nerDiagram\n source {\n text name PK\n text display_name\n text license\n text url\n }\n \n source_metadata {\n text source_name PK, FK\n text key PK\n text value\n timestamp created_at\n timestamp updated_at\n }\n \n vuln {\n text id PK\n }\n \n vuln_alias {\n text source_name PK, FK\n text vuln_id PK, FK\n text alias_id PK\n timestamp created_at\n timestamp deleted_at\n }\n \n vuln_data {\n text source_name PK, FK\n text vuln_id PK, FK\n text description\n text cwes\n timestamp source_created_at\n timestamp source_published_at\n timestamp source_updated_at\n timestamp created_at\n timestamp updated_at\n }\n \n vuln_rating {\n text source_name PK, FK\n text vuln_id PK, FK\n text method PK\n text severity\n text vector\n real score\n timestamp created_at\n timestamp updated_at\n }\n \n vuln_reference {\n text source_name PK, FK\n text vuln_id PK, FK\n text url PK\n text name\n }\n \n matching_criteria {\n integer id PK\n text source_name FK\n text vuln_id FK\n text cpe\n text cpe_part\n text cpe_vendor\n text cpe_product\n text purl_type\n text purl_namespace\n text purl_name\n text versions\n text additional_criteria_type\n blob additional_criteria\n timestamp created_at\n }\n\n source ||--o{ source_metadata: \"used by\"\n source ||--o{ vuln_alias: \"imported from\"\n source ||--o{ vuln_data: \"imported from\"\n source ||--o{ vuln_rating: \"imported from\"\n source ||--o{ vuln_reference: \"imported from\"\n source ||--o{ matching_criteria: \"imported from\"\n vuln_alias }o--|| vuln: \"aliases\"\n vuln_data }o--|| vuln: \"describes\"\n vuln_rating }o--|| vuln: \"rates\"\n vuln_reference }o--|| vuln: \"describes\"\n matching_criteria }o--|| vuln: \"affects\"\n```\n\nThe complete SQLite schema is located [here](src/main/resources/schema.sql).\n\n## Extending\n\n### Sources\n\nNew sources can be added by implementing the \n[`Importer`](src/main/java/org/dependencytrack/vulndb/api/Importer.java)\ninterface, and registering the implementation with Java's\n[`ServiceLoader` mechanism](src/main/resources/META-INF/services/org.dependencytrack.vulndb.api.Importer).\n\n`Importer`s are given access to a `Database` object which can be used to store and retrieve source metadata,\nas well as storing `Vulnerability` records. An `Importer`'s only responsibility is to retrieve data from upstream\nsources, and transform it into the internal data model.\n\n## Research\n\nThe database(s) may be used to conduct research on the data across multiple sources.\nGathered insights will help to drive decisions for procurement and enrichment.\n\nSnapshot builds are published to the GitHub Container Registry, both for each source\nindividually, and all sourced merged into one.\n\nThey can be downloaded using [`oras`](https://oras.land/docs/installation), \nand decompressed using [`zstd`](https://github.com/facebook/zstd):\n\n```shell\noras pull ghcr.io/dependencytrack/vuln-db/source/all:snapshot\nzstd --decompress --rm all.sqlite.zst\n```\n\nThe full list of available artifacts can be found [here](https://github.com/DependencyTrack?tab=packages\u0026repo_name=vuln-db).\n\nFor exploratory queries, it's recommended to use [DuckDB](https://duckdb.org/).\nIt has a [SQLite extension](https://duckdb.org/docs/extensions/sqlite.html) that is trivially enabled:\n\n```shell\nduckdb -c 'install sqlite'\n```\n\nRecent versions ship with an [embedded browser UI](https://duckdb.org/2025/03/12/duckdb-ui.html), voiding the need for separate editors:\n\n```shell\nduckdb -ui all.sqlite\n```\n\n### Open questions\n\nA few questions that could be answered using the data at hand:\n\n- [ ] Is it possible to *reliably* group vulnerabilities by their alias relationship?\n * Do sources report the same data across aliases, or do they have conflicting information?\n * If the information is conflicting, which sources are *correct*?\n * Are alias relationships truly transitive, or not reliable at all?\n- [ ] Given one or more ratings for a vulnerability across multiple sources, how do we pick the *best*?\n * If there is no way to determine the best, how can we *deterministically* pick one?\n * Consider the current NVD scenario, where the NVD is authoritative source for CVEs,\n but is severely lagging behind in rating them.\n- [ ] Is there data in any of the sources that we will need, but the data model doesn't accommodate for it?\n- [ ] Are there sources that are faster to add new vulnerabilities than others?\n- [ ] Are there sources that provide more complete information than others?\n- [ ] Are there sources that generally provide bad data and should *not* be included?\n\n### Example: Aliases\n\nTo find the aliases of all CVEs, and which source reported them:\n\n```sql\nwith cve_aliases as(\n select vuln_id\n , alias_id\n , source_name\n from vuln_alias\n where vuln_id like 'CVE-%'\n union\n select alias_id as vuln_id\n , vuln_id as alias_id\n , source_name\n from vuln_alias\n where alias_id like 'CVE-%'\n)\nselect vuln_id\n , json_group_array(json_object(source_name, alias_id)) as aliases\nfrom cve_aliases\ngroup by vuln_id\norder by vuln_id desc\nlimit 10\n```\n\nExample output:\n\n| vuln\\_id | aliases |\n|:---------------|:-------------------------------------------------------------------------------------------------|\n| CVE-2025-24898 | `[{\"github\":\"GHSA-rpmj-rpgj-qmpm\"}]` |\n| CVE-2025-24884 | `[{\"github\":\"GHSA-hcr5-wv4p-h2g2\"},{\"osv\":\"GHSA-hcr5-wv4p-h2g2\"}]` |\n| CVE-2025-24883 | `[{\"github\":\"GHSA-q26p-9cq4-7fc2\"},{\"osv\":\"GHSA-q26p-9cq4-7fc2\"}]` |\n| CVE-2025-24882 | `[{\"github\":\"GHSA-qv35-3gw6-8q4j\"},{\"osv\":\"GHSA-qv35-3gw6-8q4j\"},{\"osv\":\"GO-2024-3038\"}]` |\n| CVE-2025-24856 | `[{\"github\":\"GHSA-hj78-p4h7-m5fv\"}]` |\n| CVE-2025-24814 | `[{\"osv\":\"BIT-solr-2025-24814\"},{\"github\":\"GHSA-68r2-fwcg-qpm8\"},{\"osv\":\"GHSA-68r2-fwcg-qpm8\"}]` |\n| CVE-2025-24802 | `[{\"github\":\"GHSA-hj49-h7fq-px5h\"}]` |\n| CVE-2025-24800 | `[{\"github\":\"GHSA-wwx5-gpgr-vxr7\"}]` |\n| CVE-2025-24795 | `[{\"github\":\"GHSA-r2x6-cjg7-8r43\"}]` |\n| CVE-2025-24794 | `[{\"github\":\"GHSA-m4f6-vcj4-w5mx\"}]` |\n\n\nThis data could be used to calculate confidences for alias relationships,\ni.e. the more sources report it the higher the confidence.\n\n### Example: Withdrawal across aliases\n\nVulnerabilities can be withdrawn or rejected. Taking aliases into consideration,\nis withdrawal consistently declared in all sources?\n\n```sql\nwith\nrejected_vulns as(\n select vuln_id\n , source_name\n , source_rejected_at\n from vuln_data\n where source_rejected_at is not null\n),\nrejected_vuln_aliases as(\n select vuln_id\n , alias_id\n from vuln_alias\n where vuln_id in (select vuln_id from rejected_vulns)\n),\nrejected_aliases as(\n select vuln_data.vuln_id as vuln_id\n , rejected_vuln_aliases.vuln_id as aliased_vuln_id\n , source_name\n , source_rejected_at\n from vuln_data\n inner join rejected_vuln_aliases\n on rejected_vuln_aliases.alias_id = vuln_data.vuln_id\n)\nselect vuln_id\n , null as alias_id\n , source_name\n , source_rejected_at\n from rejected_vulns\n where vuln_id in (select aliased_vuln_id from rejected_aliases)\n union all\nselect aliased_vuln_id as vuln_id\n , vuln_id as alias_id\n , source_name\n , source_rejected_at\n from rejected_aliases\n order by vuln_id, alias_id nulls first\n```\n\nExample output:\n\n| vuln\\_id | alias\\_id | source\\_name | source\\_rejected\\_at |\n|:---------------|:--------------------|:-------------|:---------------------|\n| CVE-2018-1103 | null | osv | 1715751224000 |\n| CVE-2018-1103 | GHSA-w55j-f7vx-6q37 | github | null |\n| CVE-2018-1103 | GHSA-w55j-f7vx-6q37 | osv | null |\n| CVE-2018-1103 | GO-2020-0026 | osv | null |\n| CVE-2018-11087 | null | osv | 1715751224000 |\n| CVE-2018-11087 | GHSA-w4g2-9hj6-5472 | github | null |\n| CVE-2018-11087 | GHSA-w4g2-9hj6-5472 | osv | null |\n\nIn the above output `CVE-2018-1103` and `CVE-2018-11087` are both declared as withdrawn\nby OSV, but none of their respective aliases are, even if they originate from the same source (OSV).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdependencytrack%2Fvuln-db","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdependencytrack%2Fvuln-db","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdependencytrack%2Fvuln-db/lists"}