/victims-cve-db

CVE database store

Primary LanguagePythonGNU Affero General Public License v3.0AGPL-3.0

Victims CVE Database Database Validation Status

This database contains information regarding CVE(s) that affect various language modules. We currently store version information corresponding to respective modules as understood by select sources.

Language Module Type Metadata
Python PyPi Package name, version
Java Maven Artifact groupId, artifactId, version

This project is inpired by the great work done by the people at RubySec.

Notes on CVE(s)

If you already have a CVE assigned to your project and would like us to create an entry for it with the correct coordinates, you can send us a pull request or create an issue here with CVE details and affected components. For more details refer to the Contributing section of this document.

If you are a project owner/maintainer wanting to request for a CVE, a good resource regarding this is available here.

Contributing

We are always looking for contributors. If you would like to submit a new entry or make an update to an existing entry, feel free to send a pull request or create an issue here on GitHub.

Please do refer to the Database Internals section when making contributions.

Validating changes/submissions

You can validate your commits on your branch or local repository by:

# Validates all changes *.yaml files in database compared to upstream/master
bash validation/git-change-validate.sh

If you just want to validate a YAML file, you can run the provided python script:

# This requires PyYAML, all requirements are listed in validation/requirements.txt
# pip install -r validation/requirements.txt

# The validation script
python validation/validate_yaml.py <language> file1 [file2 ... fileN]

Database Internals

Each CVE entry in the database is stored as a YAML file.

Database File Storage Structure

The following structure is employed to store entries:

victims-cve-db/database/<language>/<year>/<cve-id>.yaml

As an example, the entry for CVE-2012-1150 would be:

victims-cve-db/database/python/2012/1150.yaml

The YAML Document

The document requires all required fields in the Common Content Schema.

Common Content Schema

Field Requirement Type Description
cve required string:YYYY-[0-9]* The CVE ID identifying the security flaw.
title required string The flaw's title or short summary.
description optional text Long description of the flaw.
cvss_v2 optional float The CVSS v2 score for the flaw.
references optional list:url Reference url(s) for the flaw.
affected required list:language-module Affected language modules.

version-string: common

The version strings across all languages are expecte to match the regex:

^(?P<condition>[><=]=)(?P<version>[^, ]+)(?:,(?P<series>[^, ]+)){0,1}$

Examples: <=2.6.1,2.6, ==2.7.0, >=1.0.1_Beta

Which enforces the format <condition><version>[,<series>]. Commas (,) and spaces ( ) are considered illegal in <version> and <series> strings.

The <series> string is optional and only used to set boundaries for version ranges. For example, in <=2.6.1,2.6, the series is 2.6 and indicates that only versions in the 2.6.x series with x<=1 is captured.

language-module: python

Field Requirement Type Description
name required string Affected package name. Use PyPi name where possible.
version required list:version-string Versions that are vulnerable to this CVE.
fixedin optional list:version-string Versions that contain a fix for this CVE.
unaffected optional list:version-string Versions that are not vulnerable to this CVE, this excludes the versions that are in fixedin.

language-module: java

Field Requirement Type Description
groupId required string Maven groupId of the affected artifact.
artifactId required string Maven artifactId of the affected artifact.
version required list:version-string Versions that are vulnerable to this CVE.
fixedin optional list:version-string Versions that contain a fix for this CVE.
unaffected optional list:version-string Versions that are not vulnerable to this CVE, this excludes the versions that are in fixedin.