This database contains information regarding CVE(s) that affect various language modules. We currently store version information corresponding to respective modules as understood by select sources.
| Language | Module Type | Metadata |
|---|---|---|
| Python | PyPi Package | name, version |
| Java | Maven Artifact | groupId, artifactId, version |
This project is inspired by the great work done by the people at RubySec.
If you already have a CVE assigned to your project and would like us to create an entry for it with the correct coordinates, you can send us a pull request or create an issue here with CVE details and affected components. For more details refer to the Contributing section of this document.
If you are a project owner/maintainer wanting to request for a CVE, a good resource regarding this is available here.
We are always looking for contributors. If you would like to submit a new entry or make an update to an existing entry, feel free to send a pull request or create an issue here on GitHub.
Please do refer to the Database Internals section when making contributions.
You can validate your commits on your branch or local repository by:
# Validates all changes *.yaml files in database compared to upstream/master
bash validation/git-change-validate.shIf you just want to validate a YAML file, you can run the provided python script:
# This requires PyYAML, all requirements are listed in validation/requirements.txt
# pip install -r validation/requirements.txt
# The validation script
python validation/validate_yaml.py <language> file1 [file2 ... fileN]Each CVE entry in the database is stored as a YAML file.
The following structure is employed to store entries:
victims-cve-db/database/<language>/<year>/<cve-id>.yaml
As an example, the entry for CVE-2012-1150 would be:
victims-cve-db/database/python/2012/1150.yaml
The document requires all required fields in the Common Content Schema.
| Field | Requirement | Type | Description |
|---|---|---|---|
cve |
required |
string:YYYY-[0-9]* |
The CVE ID identifying the security flaw. |
title |
required |
string |
The flaw's title or short summary. |
description |
optional |
text |
Long description of the flaw. |
cvss_v2 |
optional |
float |
The CVSS v2 score for the flaw. |
references |
optional |
list:url |
Reference url(s) for the flaw. |
affected |
required |
list:language-module |
Affected language modules. |
hash |
added later | string |
Hash of the overall package. |
file_hashes |
added later | list: dict of hash and name |
Hashes for specific files in the package |
package_urls |
required | list |
List of urls pointing to known vulnerable packages. Used for hashing. |
The package_url field currently supports a templated http string. There will be future supported added for real package-urls. In the meantime the template string supports a few fields which are generated from the victims-cve-db entry itself:
| Name | Description |
|---|---|
| name | The name of the artifact |
| version | The version number of the artifact |
Example package_url templates include:
http://repo.maven.apache.org/maven2/HTTPClient/HTTPClient/{version}/HTTPClient-{version}.jar
http://repo.spring.io/release/org/aspectj/{name}/{version}/{name}-{version}.jar
This will be expanded when doing package hashing for each affected version in the victims-cve-db entry. As an example if
http://example.org/{name}-{version}.jar had a name of test a single affected of <=2.18.2,2.18 the hashing
would expand to pull down
- http://example.org/test-2.18.2.jar
- http://example.org/test-2.18.1.jar
- http://example.org/test-2.18.0.jar
You can generate package-urls using a legacy victims-cve-db formatted yaml. The legacy format did not contain package-urls, and only contained version-string. Use the victims-db-builder project to generate package-urls.
Note: Java archives will have their name pulled from artifactId.
The version strings across all languages are expecte to match the regex:
^(?P<condition>[><=]=)(?P<version>[^, ]+)(?:,(?P<series>[^, ]+)){0,1}$Examples: <=2.6.1,2.6, ==2.7.0, >=1.0.1_Beta
Which enforces the format <condition><version>[,<series>]. Commas (,) and spaces ( ) are considered illegal in <version> and <series> strings.
The <series> string is optional and only used to set boundaries for version ranges. For example, in <=2.6.1,2.6, the series is 2.6 and indicates that only versions in the 2.6.x series with x<=1 is captured.
| Field | Requirement | Type | Description |
|---|---|---|---|
name |
required |
string |
Affected package name. Use PyPi name where possible. |
version |
required |
list:version-string |
Versions that are vulnerable to this CVE. |
fixedin |
optional |
list:version-string |
Versions that contain a fix for this CVE. |
unaffected |
optional |
list:version-string |
Versions that are not vulnerable to this CVE, this excludes the versions that are in fixedin. |
| Field | Requirement | Type | Description |
|---|---|---|---|
groupId |
required |
string |
Maven groupId of the affected artifact. |
artifactId |
required |
string |
Maven artifactId of the affected artifact. |
version |
required |
list:version-string |
Versions that are vulnerable to this CVE. |
fixedin |
optional |
list:version-string |
Versions that contain a fix for this CVE. |
unaffected |
optional |
list:version-string |
Versions that are not vulnerable to this CVE, this excludes the versions that are in fixedin. |