adedov/victims-cve-db

CVE database store

Victims CVE Database

This database contains information regarding CVE(s) that affect various language modules. We currently store version information corresponding to respective modules as understood by select sources.

Language	Module Type	Metadata
Python	PyPi Package	name, version
Java	Maven Artifact	groupId, artifactId, version

This project is inpired by the great work done by the people at RubySec.

Notes on CVE(s)

If you already have a CVE assigned to your project and would like us to create an entry for it with the correct coordinates, you can send us a pull request or create an issue here with CVE details and affected components. For more details refer to the Contributing section of this document.

If you are a project owner/maintainer wanting to request for a CVE, a good resource regarding this is available here.

Contributing

We are always looking for contributors. If you would like to submit a new entry or make an update to an existing entry, feel free to send a pull request or create an issue here on GitHub.

Please do refer to the Database Internals section when making contributions.

Validating changes/submissions

You can validate your commits on your branch or local repository by:

# Validates all changes *.yaml files in database compared to upstream/master
bash validation/git-change-validate.sh

If you just want to validate a YAML file, you can run the provided python script:

# This requires PyYAML, all requirements are listed in validation/requirements.txt
# pip install -r validation/requirements.txt

# The validation script
python validation/validate_yaml.py <language> file1 [file2 ... fileN]

Database Internals

Each CVE entry in the database is stored as a YAML file.

Database File Storage Structure

The following structure is employed to store entries:

victims-cve-db/database/<language>/<year>/<cve-id>.yaml

As an example, the entry for CVE-2012-1150 would be:

victims-cve-db/database/python/2012/1150.yaml

The YAML Document

The document requires all required fields in the Common Content Schema.

Common Content Schema

Field	Requirement	Type	Description
cve	required	string:YYYY-[0-9]*	The CVE ID identifying the security flaw.
title	required	string	The flaw's title or short summary.
description	optional	text	Long description of the flaw.
cvss_v2	optional	float	The CVSS v2 score for the flaw.
references	optional	list:url	Reference url(s) for the flaw.
affected	required	list:language-module	Affected language modules.

version-string: common

The version strings across all languages are expecte to match the regex:

^(?P<condition>[><=]=)(?P<version>[^, ]+)(?:,(?P<series>[^, ]+)){0,1}$

Examples: <=2.6.1,2.6, ==2.7.0, >=1.0.1_Beta

Which enforces the format <condition><version>[,<series>]. Commas (,) and spaces ( ) are considered illegal in <version> and <series> strings.

The <series> string is optional and only used to set boundaries for version ranges. For example, in <=2.6.1,2.6, the series is 2.6 and indicates that only versions in the 2.6.x series with x<=1 is captured.

language-module: python

Field	Requirement	Type	Description
name	required	string	Affected package name. Use PyPi name where possible.
version	required	list:version-string	Versions that are vulnerable to this CVE.
fixedin	optional	list:version-string	Versions that contain a fix for this CVE.
unaffected	optional	list:version-string	Versions that are not vulnerable to this CVE, this excludes the versions that are in fixedin.

language-module: java

Field	Requirement	Type	Description
groupId	required	string	Maven groupId of the affected artifact.
artifactId	required	string	Maven artifactId of the affected artifact.
version	required	list:version-string	Versions that are vulnerable to this CVE.
fixedin	optional	list:version-string	Versions that contain a fix for this CVE.
unaffected	optional	list:version-string	Versions that are not vulnerable to this CVE, this excludes the versions that are in fixedin.