Skip to content

Data Sources

Coverage By Package Manager

  • golang - gemnasium, trivy, grype, oss-index (have only seen results from trivy / oss-index)
  • npm - gemnasium, trivy, grype, oss-index (confirmed results from all 4)
  • maven - gemnasium, trivy, grype, oss-index (confirmed results from all 4)
  • pypi - gemnasium, trivy, grype, oss-index (confirmed results from all 4)
  • nuget - gemnasium, trivy, oss-index, grype ( no testing)
  • gem - gemnasium, trivy, grype, oss-index (tested but got no results using a small bom)
  • rpm - grype,trivy, oss-index (oss-index coverage seems quite poor)(see operating system distros for important information)
  • deb - grype, trivy (see operating system distros for important information)

Gemnasium

As a note the official gemnasium database has terms of service that say it can't be used in 3rd party tools without explicit permission.
The community datasource is essentially the same it is just 30 days delayed.

Tracking external sources One of the main challenges of maintaining a vulnerability database is to learn about security advisories recently published. To that goal, the GitLab team checks external sources on a regular basis. If an external source lists an advisory that is not already in gemnasium-db, they research and check the advisory, add metadata to it, and publish it to this repo following the contribution guidelines.

Tracking process and schedule Below is the list of data-sources we check for updates on a daily basis:

NVD JSON feeds

GitHub security advisory database by means of the Trivy Advisory Database

Ruby Advisory DB

Below is a list of data-sources from which we sourced data in the past. Those data-sources are checked occasionally:

FriendsOfPHP security advisories Victims CVE DB oss-security mailing list

While the advisory tracking for NVD and ruby-advisory-db is semi-automated, we check the oss-security mailing list manually. For the manual source tracking, we use the following strategy:

Look for vulnerability announcement that do not have a CVE with an announcement day not older than 4 weeks Generate an identifier (as explained in our contribution guidelines) Create an MR (according to our contribution guidelines)

It's preferred to create merge requests right away but the team member in charge of checking the source may not be immediately available to do that, and creating issues is a way to delay the task or to pass it on to another team member.

Grype

  • Alpine Linux SecDB: https://secdb.alpinelinux.org/
  • Amazon Linux ALAS: https://alas.aws.amazon.com/AL2/alas.rss
  • RedHat RHSAs: https://www.redhat.com/security/data/oval/
  • Debian Linux CVE Tracker: https://security-tracker.debian.org/tracker/data/json
  • Github GHSAs: https://github.com/advisories
  • National Vulnerability Database (NVD): https://nvd.nist.gov/vuln/data-feeds
  • Oracle Linux OVAL: https://linux.oracle.com/security/oval/
  • RedHat Linux Security Data: https://access.redhat.com/hydra/rest/securitydata/
  • Suse Linux OVAL: https://ftp.suse.com/pub/projects/security/oval/
  • Ubuntu Linux Security: https://people.canonical.com/~ubuntu-security/

Trivy

OS

Note the OS datasources do not seem to work with SBOM integration we should open an issue with trivy to address

OS Source
Arch Linux Vulnerable Issues
Alpine Linux secdb
Amazon Linux Amazon Linux Security Center
Debian Security Bug Tracker
OVAL
Ubuntu Ubuntu CVE Tracker
RHEL/CentOS OVAL
Security Data
AlmaLinux AlmaLinux Product Errata
Rocky Linux Rocky Linux UpdateInfo
Oracle Linux OVAL
CBL-Mariner OVAL
OpenSUSE/SLES CVRF
Photon OS Photon Security Advisory

Programming Language

Language Source Commercial Use Delay[^1]
PHP PHP Security Advisories Database -
GitHub Advisory Database (Composer) -
Python GitHub Advisory Database (pip) -
Open Source Vulnerabilities (PyPI) -
Ruby Ruby Advisory Database -
GitHub Advisory Database (RubyGems) -
Node.js Ecosystem Security Working Group -
GitHub Advisory Database (npm) -
Java GitLab Advisories Community 1 month
GitHub Advisory Database (Maven) -
Go GitLab Advisories Community 1 month
The Go Vulnerability Database -
Rust Open Source Vulnerabilities (crates.io) -
.NET GitHub Advisory Database (NuGet) -

[^1]: Intentional delay between vulnerability disclosure and registration in the DB

Others

Name Source
National Vulnerability Database NVD

Data source selection

Trivy only consumes security advisories from the sources listed in the following tables.

As for packages installed from OS package managers (dpkg, yum, apk, etc.), Trivy uses the advisory database from the appropriate OS vendor.

For example: for a python package installed from yum (Amazon linux), Trivy will only get advisories from [ALAS][amazon2]. But for a python package installed from another source (e.g. pip), Trivy will get advisories from the GitLab and GitHub databases.

This advisory selection is essential to avoid getting false positives because OS vendors usually backport upstream fixes, and the fixed version can be different from the upstream fixed version. The severity is from the selected data source. If the data source does not provide severity, it falls back to NVD, and if NVD does not have severity, it will be UNKNOWN.