This database contains information regarding CVE(s) that affect various language modules. We currently store version information corresponding to respective modules as understood by select sources.
| Language | Module Type | Metadata |
|---|---|---|
| Python | PyPi Package | name, version |
| Java | Maven Artifact | groupId, artifactId, version |
This project is inpired by the great work done by the people at RubySec.
If you already have a CVE assigned to your project and would like us to create an entry for it with the correct coordinates, you can send us a pull request or create an issue here with CVE details and affected components. For more details refer to the Contributing section of this document.
If you are a project owner/maintainer wanting to request for a CVE, a good resource regarding this is available here.
We are always looking for contributors. If you would like to submit a new entry or make an update to an existing entry, feel free to send a pull request or create an issue here on GitHub.
Please do refer to the Database Internals section when making contributions.
You can validate your commits on your branch or local repository by:
# Validates all changes *.yaml files in database compared to upstream/master
bash validation/git-change-validate.shIf you just want to validate a YAML file, you can run the provided python script:
# This requires PyYAML, all requirements are listed in validation/requirements.txt
# pip install -r validation/requirements.txt
# The validation script
python validation/validate_yaml.py <language> file1 [file2 ... fileN]Each CVE entry in the database is stored as a YAML file.
The following structure is employed to store entries:
victims-cve-db/database/<language>/<year>/<cve-id>.yaml
As an example, the entry for CVE-2012-1150 would be:
victims-cve-db/database/python/2012/1150.yaml
The document requires all required fields in the Common Content Schema.
| Field | Requirement | Type | Description |
|---|---|---|---|
cve |
required |
string:YYYY-[0-9]* |
The CVE ID identifying the security flaw. |
title |
required |
string |
The flaw's title or short summary. |
description |
optional |
text |
Long description of the flaw. |
cvss_v2 |
optional |
float |
The CVSS v2 score for the flaw. |
references |
optional |
list:url |
Reference url(s) for the flaw. |
affected |
required |
list:language-module |
Affected language modules. |
The version strings across all languages are expecte to match the regex:
^(?P<condition>[><=]=)(?P<version>[^, ]+)(?:,(?P<series>[^, ]+)){0,1}$Examples: <=2.6.1,2.6, ==2.7.0, >=1.0.1_Beta
Which enforces the format <condition><version>[,<series>]. Commas (,) and spaces ( ) are considered illegal in <version> and <series> strings.
The <series> string is optional and only used to set boundaries for version ranges. For example, in <=2.6.1,2.6, the series is 2.6 and indicates that only versions in the 2.6.x series with x<=1 is captured.
| Field | Requirement | Type | Description |
|---|---|---|---|
name |
required |
string |
Affected package name. Use PyPi name where possible. |
version |
required |
list:version-string |
Versions that are vulnerable to this CVE. |
fixedin |
optional |
list:version-string |
Versions that contain a fix for this CVE. |
unaffected |
optional |
list:version-string |
Versions that are not vulnerable to this CVE, this excludes the versions that are in fixedin. |
| Field | Requirement | Type | Description |
|---|---|---|---|
groupId |
required |
string |
Maven groupId of the affected artifact. |
artifactId |
required |
string |
Maven artifactId of the affected artifact. |
version |
required |
list:version-string |
Versions that are vulnerable to this CVE. |
fixedin |
optional |
list:version-string |
Versions that contain a fix for this CVE. |
unaffected |
optional |
list:version-string |
Versions that are not vulnerable to this CVE, this excludes the versions that are in fixedin. |