diff --git a/PIPELINES-AVID.rst b/PIPELINES-AVID.rst index c65e92832..7c1ec7948 100644 --- a/PIPELINES-AVID.rst +++ b/PIPELINES-AVID.rst @@ -1,76 +1,143 @@ -.. list-table:: Pipeline Advisory UID Mapping +.. _pipeline_avid_mapping: + +Pipelines AVID Mapping +========================= + +- An ``advisory`` represents data obtained from an upstream source and + transformed into structured data that describes a known vulnerability. + + Each advisory has an upstream Advisory ID (for example, + ``CVE-2026-23918`` or ``GHSA-6xcx-gx7r-rccj``) that uniquely identifies it + within its datasource. + +- An ``AVID`` is the unique identifier for the datasource used for this + advisory (datasource_id example: ``nvd`` or ``github_osv``). + + A pipeline AVID is constructed by combining the pipeline identifier with the + upstream Advisory ID ``datasource_id/advisory_id``. For example: + +.. code-block:: text + + github_osv/GHSA-6xcx-gx7r-rccj + nvd/CVE-2026-23918 + +The following table describes how each pipeline constructs its AVID. + +.. list-table:: Pipeline AVID Mapping :header-rows: 1 - :widths: 35 65 + :widths: 30 30 40 * - pipeline name - - Advisory UID - - datasource name - * - alpine_linux_importer_v2 - - {package_name}/{distroversion}/{version}/{vulnerability_id} - - alpine_linux - * - aosp_dataset_fix_commits - - CVE ID of the record - * - apache_httpd_importer_v2 - - CVE ID of the record - * - apache_kafka_importer_v2 - - CVE ID of the record - * - apache_tomcat_importer_v2 - - {page_id}/{cve_id} + - datasource_id + - advisory_id * - archlinux_importer_v2 + - archlinux - AVG ID of the record - * - curl_importer_v2 - - CURL-CVE ID of the record - * - debian_importer_v2 - - {package_name}/{debian_record_id} + * - apache_kafka_importer_v2 + - apache_kafka + - CVE ID of the record + * - nvd_importer_v2 + - nvd + - CVE ID of the record * - elixir_security_importer_v2 + - elixir_security - {package_name}/{file_id} - * - epss_importer_v2 + * - npm_importer_v2 + - npm + - NPM- + * - vulnrichment_importer_v2 + - vulnrichment - CVE ID of the record - * - fireeye_importer_v2 - - {file_id} - * - gentoo_importer_v2 - - GLSA ID of the record - * - github_osv_importer_v2 - - ID of the OSV record + * - apache_httpd_importer_v2 + - apache_httpd + - CVE ID of the record + * - pypa_importer_v2 + - pypa + - {package_name}/{ID of the OSV record} * - gitlab_importer_v2 + - gitlab - Identifier of the GitLab community advisory record + * - pysec_importer_v2 + - pysec + - ID of the OSV record + * - xen_importer_v2 + - xen + - XSA- + * - curl_importer_v2 + - curl + - CURL-CVE ID of the record + * - oss_fuzz_v2 + - oss_fuzz + - ID of the OSV record * - istio_importer_v2 + - istio - ISTIO-SECURITY- - * - mattermost_importer_v2 - - MMSA- - * - mozilla_importer_v2 - - MFSA- - * - nginx_importer_v2 - - First alias of the record - * - nodejs_security_wg - - NPM- - * - nvd_importer_v2 - - CVE ID of the record - * - openssl_importer_v2 - - CVE ID of the record - * - oss_fuzz_importer_v2 - - ID of the OSV record * - postgresql_importer_v2 + - postgresql - CVE ID of the record - * - project-kb-msr-2019_v2 - - Vulnerability ID of the record - * - project-kb-statements_v2 - - Vulnerability ID of the record - * - pypa_importer_v2 - - {package_name}/{ID of the OSV record} - * - pysec_importer_v2 + * - mozilla_importer_v2 + - mozilla + - MFSA- + * - github_osv_importer_v2 + - github_osv - ID of the OSV record * - redhat_importer_v2 + - redhat - RHSA ID of the record - * - retiredotnet_importer_v2 - - retiredotnet-{file_id} + * - aosp_importer_v2 + - aosp_dataset + - CVE ID of the record + * - project_kb_statements_importer_v2 + - project-kb-statements_v2 + - CVE ID of the record + * - project_kb_msr2019_importer_v2 + - project_kb_msr2019 + - CVE ID of the record * - ruby_importer_v2 + - ruby_advisory_db - {file_id} - * - suse_importer_v2 + * - epss_importer_v2 + - epss + - CVE ID of the record + * - gentoo_importer_v2 + - gentoo + - GLSA ID of the record + * - nginx_importer_v2 + - nginx + - First alias of the record + * - debian_importer_v2 + - debian + - {package_name}/{debian_record_id} + * - mattermost_importer_v2 + - mattermost + - MMSA- + * - glibc_importer_v2 + - glibc + - GLIBC-SA- + * - apache_tomcat_importer_v2 + - apache_tomcat + - {page_id}/{cve_id} + * - suse_score_importer_v2 + - suse_score - CVE ID of the record + * - retiredotnet_importer_v2 + - retiredotnet + - retiredotnet-{file_id} * - ubuntu_osv_importer_v2 + - ubuntu_osv - ID of the OSV record - * - vulnrichment_importer_v2 + * - alpine_linux_importer_v2 + - alpine + - {package_name}/{distroversion}/{version}/{vulnerability_id} + * - linux_kernel_importer_v2 + - linux_kernel - CVE ID of the record - * - xen_importer_v2 - - XSA- \ No newline at end of file + * - openssl_importer_v2 + - openssl + - CVE ID of the record + * - fireeye_importer_v2 + - fireeye + - {file_id} + * - collect_{repo_name}_fix_commits + - {repo_name}_fix_commits + - CVE ID / GHSA ID of the record diff --git a/SOURCES.rst b/SOURCES.rst index bc0963a10..4f5b04d0d 100644 --- a/SOURCES.rst +++ b/SOURCES.rst @@ -1,53 +1,113 @@ -+----------------+------------------------------------------------------------------------------------------------------+----------------------------------------------------+ -|Importer Name | Data Source |Ecosystems Covered | -+================+======================================================================================================+====================================================+ -|rust | https://github.com/RustSec/advisory-db |rust crates | -+----------------+------------------------------------------------------------------------------------------------------+----------------------------------------------------+ -|alpine | https://secdb.alpinelinux.org/ |alpine packages | -+----------------+------------------------------------------------------------------------------------------------------+----------------------------------------------------+ -|archlinux | https://security.archlinux.org/json |arch packages | -+----------------+------------------------------------------------------------------------------------------------------+----------------------------------------------------+ -|debian | https://security-tracker.debian.org/tracker/data/json |debian packages | -+----------------+------------------------------------------------------------------------------------------------------+----------------------------------------------------+ -|npm | https://github.com/nodejs/security-wg.git |npm packages | -+----------------+------------------------------------------------------------------------------------------------------+----------------------------------------------------+ -|ruby | https://github.com/rubysec/ruby-advisory-db.git |ruby gems | -+----------------+------------------------------------------------------------------------------------------------------+----------------------------------------------------+ -|ubuntu | |ubuntu packages | -+----------------+------------------------------------------------------------------------------------------------------+----------------------------------------------------+ -|retiredotnet | https://github.com/RetireNet/Packages.git |.NET packages | -+----------------+------------------------------------------------------------------------------------------------------+----------------------------------------------------+ -|suse_backports | http://ftp.suse.com/pub/projects/security/yaml/ |SUSE packages | -+----------------+------------------------------------------------------------------------------------------------------+----------------------------------------------------+ -|debian_oval | https://www.debian.org/security/oval/ |debian packages | -+----------------+------------------------------------------------------------------------------------------------------+----------------------------------------------------+ -|redhat | https://access.redhat.com/hydra/rest/securitydata/cve.json |rpm packages | -+----------------+------------------------------------------------------------------------------------------------------+----------------------------------------------------+ -|nvd | https://nvd.nist.gov/vuln/data-feeds#JSON_FEED |none | -+----------------+------------------------------------------------------------------------------------------------------+----------------------------------------------------+ -|gentoo | https://anongit.gentoo.org/git/data/glsa.git |gentoo packages | -+----------------+------------------------------------------------------------------------------------------------------+----------------------------------------------------+ -|openssl | https://www.openssl.org/news/vulnerabilities.xml |openssl | -+----------------+------------------------------------------------------------------------------------------------------+----------------------------------------------------+ -|ubuntu_usn | https://usn.ubuntu.com/usn-db/database-all.json.bz2 |ubuntu packages | -+----------------+------------------------------------------------------------------------------------------------------+----------------------------------------------------+ -|github | https://api.github.com/graphql |maven, .NET, php-composer, pypi packages. ruby gems | -+----------------+------------------------------------------------------------------------------------------------------+----------------------------------------------------+ -|msr2019 | https://raw.githubusercontent.com/SAP/project-kb/master/MSR2019/dataset/vulas_db_msr2019_release.csv |maven packages | -+----------------+------------------------------------------------------------------------------------------------------+----------------------------------------------------+ -|apache_httpd | https://httpd.apache.org/security/json |apache-httpd | -+----------------+------------------------------------------------------------------------------------------------------+----------------------------------------------------+ -|kaybee | https://github.com/SAP/project-kb.git |maven packages | -+----------------+------------------------------------------------------------------------------------------------------+----------------------------------------------------+ -|nginx | http://nginx.org/en/security_advisories.html |nginx | -+----------------+------------------------------------------------------------------------------------------------------+----------------------------------------------------+ -|postgresql | https://www.postgresql.org/support/security/ |postgresql | -+----------------+------------------------------------------------------------------------------------------------------+----------------------------------------------------+ -|elixir_security | https://github.com/dependabot/elixir-security-advisories |hex packages | -+----------------+------------------------------------------------------------------------------------------------------+----------------------------------------------------+ -|suse_scores | https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml |vulnerability severity scores by SUSE | -+----------------+------------------------------------------------------------------------------------------------------+----------------------------------------------------+ -|mozilla | https://github.com/mozilla/foundation-security-advisories |mozilla | -+----------------+------------------------------------------------------------------------------------------------------+----------------------------------------------------+ -|mattermost | https://mattermost.com/security-updates/ |mattermost server, desktop and mobile apps | -+----------------+------------------------------------------------------------------------------------------------------+----------------------------------------------------+ ++-----------------------+------------------------------------------------------------------------------------------+--------------------------------------------+ +| Importer Name | Data Source | Ecosystems Covered | ++=======================+==========================================================================================+============================================+ +| archlinux | https://security.archlinux.org/json | arch packages | ++-----------------------+------------------------------------------------------------------------------------------+--------------------------------------------+ +| apache_kafka | https://kafka.apache.org/community/cve-list | apache-kafka | ++-----------------------+------------------------------------------------------------------------------------------+--------------------------------------------+ +| nvd | https://nvd.nist.gov/vuln/data-feeds#JSON_FEED | none | ++-----------------------+------------------------------------------------------------------------------------------+--------------------------------------------+ +| elixir_security | https://github.com/dependabot/elixir-security-advisories | hex packages | ++-----------------------+------------------------------------------------------------------------------------------+--------------------------------------------+ +| npm | https://github.com/nodejs/security-wg.git | npm packages | ++-----------------------+------------------------------------------------------------------------------------------+--------------------------------------------+ +| vulnrichment | https://github.com/cisagov/vulnrichment.git | all | ++-----------------------+------------------------------------------------------------------------------------------+--------------------------------------------+ +| apache_httpd | https://httpd.apache.org/security/json | apache-httpd | ++-----------------------+------------------------------------------------------------------------------------------+--------------------------------------------+ +| pypa | https://github.com/pypa/advisory-database.git | python packages | ++-----------------------+------------------------------------------------------------------------------------------+--------------------------------------------+ +| gitlab | https://gitlab.com/gitlab-org/advisories-community.git | all | ++-----------------------+------------------------------------------------------------------------------------------+--------------------------------------------+ +| pysec | https://osv-vulnerabilities.storage.googleapis.com/PyPI/all.zip | python packages | ++-----------------------+------------------------------------------------------------------------------------------+--------------------------------------------+ +| xen | https://xenbits.xen.org/xsa/xsa.json | xen packages | ++-----------------------+------------------------------------------------------------------------------------------+--------------------------------------------+ +| curl | https://curl.se/docs/vuln.json | curl packages | ++-----------------------+------------------------------------------------------------------------------------------+--------------------------------------------+ +| oss_fuzz | https://github.com/google/oss-fuzz-vulns.git | OSS-Fuzz target packages | ++-----------------------+------------------------------------------------------------------------------------------+--------------------------------------------+ +| istio | https://github.com/istio/istio.io/tree/master/content/en/news/security | istio packages | ++-----------------------+------------------------------------------------------------------------------------------+--------------------------------------------+ +| postgresql | https://www.postgresql.org/support/security/ | postgresql | ++-----------------------+------------------------------------------------------------------------------------------+--------------------------------------------+ +| mozilla | https://github.com/mozilla/foundation-security-advisories | mozilla | ++-----------------------+------------------------------------------------------------------------------------------+--------------------------------------------+ +| github_osv | https://github.com/github/advisory-database.git | all | ++-----------------------+------------------------------------------------------------------------------------------+--------------------------------------------+ +| redhat | https://access.redhat.com/hydra/rest/securitydata/cve.json | rpm packages | ++-----------------------+------------------------------------------------------------------------------------------+--------------------------------------------+ +| aosp_dataset | https://github.com/pypa/advisory-database.git | android packages | ++-----------------------+------------------------------------------------------------------------------------------+--------------------------------------------+ +| project_kb_statements | https://github.com/SAP/project-kb.git | maven, python packages | ++-----------------------+------------------------------------------------------------------------------------------+--------------------------------------------+ +| project_kb_msr2019 | https://github.com/SAP/project-kb/blob/main/MSR2019/dataset/vulas_db_msr2019_release.csv | maven, python packages | ++-----------------------+------------------------------------------------------------------------------------------+--------------------------------------------+ +| ruby | https://github.com/rubysec/ruby-advisory-db.git | ruby gems | ++-----------------------+------------------------------------------------------------------------------------------+--------------------------------------------+ +| epss | https://epss.cyentia.com/epss_scores-current.csv.gz | exploit prediction scoring system | ++-----------------------+------------------------------------------------------------------------------------------+--------------------------------------------+ +| gentoo | https://anongit.gentoo.org/git/data/glsa.git | gentoo packages | ++-----------------------+------------------------------------------------------------------------------------------+--------------------------------------------+ +| nginx | http://nginx.org/en/security_advisories.html | nginx | ++-----------------------+------------------------------------------------------------------------------------------+--------------------------------------------+ +| debian | https://security-tracker.debian.org/tracker/data/json | debian packages | ++-----------------------+------------------------------------------------------------------------------------------+--------------------------------------------+ +| mattermost | https://mattermost.com/security-updates/ | mattermost server, desktop and mobile apps | ++-----------------------+------------------------------------------------------------------------------------------+--------------------------------------------+ +| glibc | https://sourceware.org/git/glibc.git | GNU C packages | ++-----------------------+------------------------------------------------------------------------------------------+--------------------------------------------+ +| apache_tomcat | https://tomcat.apache.org/security | apache_tomcat packages | ++-----------------------+------------------------------------------------------------------------------------------+--------------------------------------------+ +| suse_scores | http://ftp.suse.com/pub/projects/security/yaml/ | vulnerability severity scores by SUSE | ++-----------------------+------------------------------------------------------------------------------------------+--------------------------------------------+ +| retiredotnet | https://github.com/RetireNet/Packages.git | .NET packages | ++-----------------------+------------------------------------------------------------------------------------------+--------------------------------------------+ +| ubuntu_osv | https://github.com/canonical/ubuntu-security-notices.git | ubuntu packages | ++-----------------------+------------------------------------------------------------------------------------------+--------------------------------------------+ +| alpine_linux | https://github.com/aboutcode-org/aboutcode-mirror-alpine-secdb | alpine packages | ++-----------------------+------------------------------------------------------------------------------------------+--------------------------------------------+ +| linux_kernel | https://github.com/nluedtke/linux_kernel_cves | linux kernel packages | ++-----------------------+------------------------------------------------------------------------------------------+--------------------------------------------+ +| openssl | https://www.openssl.org/news/vulnerabilities.xml | openssl | ++-----------------------+------------------------------------------------------------------------------------------+--------------------------------------------+ +| fireeye | https://github.com/mandiant/Vulnerability-Disclosures | none | ++-----------------------+------------------------------------------------------------------------------------------+--------------------------------------------+ +| fix_commits | * https://github.com/torvalds/linux | | +| | * https://github.com/mirror/busybox | | +| | * https://github.com/nginx/nginx | | +| | * https://github.com/apache/tomcat | | +| | * https://github.com/mysql/mysql-server | | +| | * https://github.com/postgres/postgres | | +| | * https://github.com/mongodb/mongo | | +| | * https://github.com/redis/redis | | +| | * https://github.com/sqlite/sqlite | | +| | * https://github.com/php/php-src | | +| | * https://github.com/python/cpython | | +| | * https://github.com/ruby/ruby | | +| | * https://github.com/golang/go | | +| | * https://github.com/nodejs/node | | +| | * https://github.com/rust-lang/rust | | +| | * https://github.com/openjdk/jdk | | +| | * https://github.com/swiftlang/swift | | +| | * https://github.com/django/django | | +| | * https://github.com/rails/rails | | +| | * https://github.com/laravel/framework | | +| | * https://github.com/spring-projects/spring-framework | | +| | * https://github.com/facebook/react | | +| | * https://github.com/angular/angular | | +| | * https://github.com/WordPress/WordPress | | +| | * https://github.com/moby/moby | | +| | * https://github.com/kubernetes/kubernetes | | +| | * https://gitlab.com/qemu-project/qemu | | +| | * https://github.com/xen-project/xen | | +| | * https://github.com/mirror/vbox | | +| | * https://github.com/containerd/containerd | | +| | * https://github.com/ansible/ansible | | +| | * https://github.com/hashicorp/terraform | | +| | * https://gitlab.com/wireshark/wireshark | | +| | * https://github.com/the-tcpdump-group/tcpdump | | +| | * https://github.com/git/git | | +| | * https://github.com/jenkinsci/jenkins | | +| | * https://gitlab.com/gitlab-org/gitlab-foss | | ++-----------------------+------------------------------------------------------------------------------------------+--------------------------------------------+ \ No newline at end of file diff --git a/docs/source/PIPELINES-AVID.rst b/docs/source/PIPELINES-AVID.rst deleted file mode 100644 index 79bc8d79f..000000000 --- a/docs/source/PIPELINES-AVID.rst +++ /dev/null @@ -1,79 +0,0 @@ -.. _pipelines_avid: - -Pipelines AVID Mapping -========================= - -.. list-table:: Pipeline AVID Mapping - :header-rows: 1 - :widths: 35 65 - - * - pipeline name - - AVID - * - alpine_linux_importer_v2 - - {package_name}/{distroversion}/{version}/{vulnerability_id} - * - aosp_dataset_fix_commits - - CVE ID of the record - * - apache_httpd_importer_v2 - - CVE ID of the record - * - apache_kafka_importer_v2 - - CVE ID of the record - * - apache_tomcat_importer_v2 - - {page_id}/{cve_id} - * - archlinux_importer_v2 - - AVG ID of the record - * - curl_importer_v2 - - CURL-CVE ID of the record - * - debian_importer_v2 - - {package_name}/{debian_record_id} - * - elixir_security_importer_v2 - - {package_name}/{file_id} - * - epss_importer_v2 - - CVE ID of the record - * - fireeye_importer_v2 - - {file_id} - * - gentoo_importer_v2 - - GLSA ID of the record - * - github_osv_importer_v2 - - ID of the OSV record - * - gitlab_importer_v2 - - Identifier of the GitLab community advisory record - * - istio_importer_v2 - - ISTIO-SECURITY- - * - mattermost_importer_v2 - - MMSA- - * - mozilla_importer_v2 - - MFSA- - * - nginx_importer_v2 - - First alias of the record - * - nodejs_security_wg - - NPM- - * - nvd_importer_v2 - - CVE ID of the record - * - openssl_importer_v2 - - CVE ID of the record - * - oss_fuzz_importer_v2 - - ID of the OSV record - * - postgresql_importer_v2 - - CVE ID of the record - * - project-kb-msr-2019_v2 - - Vulnerability ID of the record - * - project-kb-statements_v2 - - Vulnerability ID of the record - * - pypa_importer_v2 - - {package_name}/{ID of the OSV record} - * - pysec_importer_v2 - - ID of the OSV record - * - redhat_importer_v2 - - RHSA ID of the record - * - retiredotnet_importer_v2 - - retiredotnet-{file_id} - * - ruby_importer_v2 - - {file_id} - * - suse_importer_v2 - - CVE ID of the record - * - ubuntu_osv_importer_v2 - - ID of the OSV record - * - vulnrichment_importer_v2 - - CVE ID of the record - * - xen_importer_v2 - - XSA- diff --git a/docs/source/PIPELINES-AVID.rst b/docs/source/PIPELINES-AVID.rst new file mode 120000 index 000000000..bd1a92bd7 --- /dev/null +++ b/docs/source/PIPELINES-AVID.rst @@ -0,0 +1 @@ +../../PIPELINES-AVID.rst \ No newline at end of file diff --git a/docs/source/SOURCES.rst b/docs/source/SOURCES.rst deleted file mode 100644 index 6d402a812..000000000 --- a/docs/source/SOURCES.rst +++ /dev/null @@ -1,112 +0,0 @@ -.. _sources: - -Sources -======= - -.. list-table:: Sources - :header-rows: 1 - :widths: 20 50 30 - - * - Importer Name - - Data Source - - Ecosystems Covered - - * - rust - - https://github.com/RustSec/advisory-db - - rust crates - - * - alpine - - https://secdb.alpinelinux.org/ - - alpine packages - - * - archlinux - - https://security.archlinux.org/json - - arch packages - - * - debian - - https://security-tracker.debian.org/tracker/data/json - - debian packages - - * - npm - - https://github.com/nodejs/security-wg.git - - npm packages - - * - ruby - - https://github.com/rubysec/ruby-advisory-db.git - - ruby gems - - * - ubuntu - - - - ubuntu packages - - * - retiredotnet - - https://github.com/RetireNet/Packages.git - - .NET packages - - * - suse_backports - - http://ftp.suse.com/pub/projects/security/yaml/ - - SUSE packages - - * - debian_oval - - https://www.debian.org/security/oval/ - - debian packages - - * - redhat - - https://access.redhat.com/hydra/rest/securitydata/cve.json - - rpm packages - - * - nvd - - https://nvd.nist.gov/vuln/data-feeds#JSON_FEED - - none - - * - gentoo - - https://anongit.gentoo.org/git/data/glsa.git - - gentoo packages - - * - openssl - - https://www.openssl.org/news/vulnerabilities.xml - - openssl - - * - ubuntu_usn - - https://usn.ubuntu.com/usn-db/database-all.json.bz2 - - ubuntu packages - - * - github - - https://api.github.com/graphql - - maven, .NET, php-composer, pypi packages, ruby gems - - * - msr2019 - - https://raw.githubusercontent.com/SAP/project-kb/master/MSR2019/dataset/vulas_db_msr2019_release.csv - - maven packages - - * - apache_httpd - - https://httpd.apache.org/security/json - - apache-httpd - - * - kaybee - - https://github.com/SAP/project-kb.git - - maven packages - - * - nginx - - http://nginx.org/en/security_advisories.html - - nginx - - * - postgresql - - https://www.postgresql.org/support/security/ - - postgresql - - * - elixir_security - - https://github.com/dependabot/elixir-security-advisories - - hex packages - - * - suse_scores - - https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml - - vulnerability severity scores by SUSE - - * - mozilla - - https://github.com/mozilla/foundation-security-advisories - - mozilla - - * - mattermost - - https://mattermost.com/security-updates/ - - mattermost server, desktop and mobile apps diff --git a/docs/source/api-admin.rst b/docs/source/api-admin.rst index 53cf25354..1618526ce 100644 --- a/docs/source/api-admin.rst +++ b/docs/source/api-admin.rst @@ -19,3 +19,38 @@ This can be done in the admin and from the command line:: $ ./manage.py create_api_user --email "p4@nexb.com" --first-name="Phil" --last-name "Goel" User p4@nexb.com created with API key: ce8616b929d2adsddd6146346c2f26536423423491 + +API client configuration +---------------------------- + +API clients must send a `User-Agent` header that matches the value of the +`VCIO_USER_AGENT` setting. + +Add the following to your .env file:: + + VCIO_USER_AGENT="vulnerablecode-client" + +Requests without the configured User-Agent header will be rejected with 403 Forbidden. + +API rate limiting +------------------- + +The API uses request throttling to protect the service from excessive traffic. + +The rate limits can be configured in the .env file:: + + THROTTLE_RATE_ANON=10/minute + THROTTLE_RATE_UI=15/minute + THROTTLE_RATE_USER_HIGH=1/second + THROTTLE_RATE_USER_MEDIUM=30/minute + THROTTLE_RATE_USER_LOW=20/minute + +Configure Altcha protection +---------------------------- + +VulnerableCode uses Altcha to protect forms from automated abuse without +relying on third-party CAPTCHA services + +To enable Altcha, add the following setting to your .env file:: + + ALTCHA_HMAC_KEY=32-byte secret diff --git a/docs/source/api.rst b/docs/source/api.rst index 7f34c5b0b..a98e8a82a 100644 --- a/docs/source/api.rst +++ b/docs/source/api.rst @@ -21,12 +21,12 @@ your API key, click on the ``Authorize`` button on the top right of the page and your API key in the ``value`` field with ``Token`` prefix, so if your token is "1234567890abcdef" then you have to enter this: ``Token 1234567890abcdef``. -.. _Package Vulnerabilities Query: +.. _Vulnerable Packages Query: -Query for Package Vulnerabilities +Query for Vulnerable Packages ------------------------------------ -The package endpoint allows you to query vulnerabilities by package using a +The package endpoint allows you to query vulnerable packages using a purl or purl fields. Sample python script:: @@ -34,124 +34,37 @@ Sample python script:: import requests # Query by purl - resp = requests.get( - "https://public.vulnerablecode.io/api/packages?purl=pkg:maven/log4j/log4j@1.2.27", - headers={"Authorization": "Token 123456789"}, - ).json() - - # Query by purl type, get all the vulnerable maven packages - resp = requests.get( - "https://public.vulnerablecode.io/api/packages?type=maven", - headers={"Authorization": "Token 123456789"}, + resp = requests.post( + "https://public.vulnerablecode.io/api/v3/packages/", + headers={"Authorization": "Token 123456789", "User-Agent": "VCIO_API_AGENT"}, + json={ + "purls": ["pkg:npm/atob@2.0.3?foo=bar"], + "ignore_qualifiers_subpath": True, + "details": True + } ).json() Sample using curl:: - curl -X GET -H 'Authorization: Token ' https://public.vulnerablecode.io/api/packages?purl=pkg:maven/log4j/log4j@1.2.27 - - -The response will be a list of packages, these are packages -that are affected by and/or that fix a vulnerability. - - -.. _Package Bulk Search: - -Package Bulk Search ---------------------- - - -The package bulk search endpoint allows you to search for purls in bulk. You can -pass a list of purls in the request body and the endpoint will return a list of -purls with vulnerabilities. - - -You can pass a list of ``purls`` in the request body. Each package should be a -valid purl string. - -You can also pass options like ``purl_only`` and ``plain_purl`` in the request. -``purl_only`` will return only a list of vulnerable purls from the purls received in request. -``plain_purl`` allows you to query the API using plain purls by removing qualifiers -and subpath from the purl. - -The request body should be a JSON object with the following structure:: - - { - "purls": [ - "pkg:pypi/flask@1.2.0", - "pkg:npm/express@1.0" - ], - "purl_only": false, - "plain_purl": false, - } - -Sample python script:: - - import requests - - request_body = { + curl -X POST "https://public.vulnerablecode.io/api/v3/packages/" \ + -H "Authorization: Token " \ + -H "Content-Type: application/json" \ + -H "User-Agent: VCIO_API_AGENT" \ + -d '{ "purls": [ - "pkg:npm/grunt-radical@0.0.14" + "pkg:pypi/flask@2.3.2" ], - } - - resp = requests.post('https://public.vulnerablecode.io/api/packages/bulk_search', json= request_body, headers={'Authorization': "Token 123456789"}).json() - + "ignore_qualifiers_subpath": true, + "details": true, + "reachability": true + }' The response will be a list of packages, these are packages -that are affected by and/or that fix a vulnerability. - -.. _CPE Bulk Search: - -CPE Bulk Search ---------------------- - - -The CPE bulk search endpoint allows you to search for packages in bulk. -You can pass a list of packages in the request body and the endpoint will -return a list of vulnerabilities. - - -You can pass a list of ``cpes`` in the request body. Each cpe should be a -non empty string and a valid CPE. - - -The request body should be a JSON object with the following structure:: - - { - "cpes": [ - "cpe:2.3:a:apache:struts:2.3.1:*:*:*:*:*:*:*", - "cpe:2.3:a:apache:struts:2.3.2:*:*:*:*:*:*:*" - ] - } - -Sample python script:: - - import requests - - request_body = { - "cpes": [ - "cpe:2.3:a:apache:struts:2.3.1:*:*:*:*:*:*:*" - ], - } - - resp = requests.post('https://public.vulnerablecode.io/api/cpes/bulk_search', json= request_body, headers={'Authorization': "Token 123456789"}).json() - -The response will be a list of vulnerabilities that have the following CPEs. - +that are affected by and/or that fix a vulnerability advisory. API endpoints reference -------------------------- -There are two primary endpoints: - -- packages/: this is the main endpoint where you can lookup vulnerabilities by package. - -- vulnerabilities/: to lookup by vulnerabilities - -And two secondary endpoints, used to query vulnerability aliases (such as CVEs) -and vulnerability by CPEs: cpes/ and aliases/ - - .. list-table:: Table for the main API endpoints :widths: 30 40 30 :header-rows: 1 @@ -159,71 +72,44 @@ and vulnerability by CPEs: cpes/ and aliases/ * - Endpoint - Query Parameters - Expected Output - * - ``/api/packages`` - - - - ``purl`` (string) = package-url of the package - - ``type`` (string) = type of the package - - ``namespace`` (string) = namespace of the package - - ``name`` (string) = name of the package - - ``version`` (string) = version of the package - - ``qualifiers`` (string) = qualifiers of the package - - ``subpath`` (string) = subpath of the package - - ``page`` (integer) = page number of the response - - ``page_size`` (integer) = number of packages in each page - - Return a list of packages using a package-url (purl) or a combination of - type, namespace, name, version, qualifiers, subpath purl fields. See the - `purl specification `_ for more details. See example at :ref:`Package Vulnerabilities Query` section for more details. - * - ``/api/packages/bulk_search`` - - Refer to package bulk search section :ref:`Package Bulk Search` - - Return a list of packages - * - ``/api/vulnerabilities/`` + * - POST ``/api/v3/packages/`` - - - ``vulnerability_id`` (string) = VCID (VulnerableCode Identifier) of the vulnerability - - ``page`` (integer) = page number of the response - - ``page_size`` (integer) = number of vulnerabilities in each page - - Return a list of vulnerabilities - * - ``/api/cpes`` + - ``purls`` (array of strings) = List of package URLs ( a package-url (purl) or a combination of + type, namespace, name, version, qualifiers, subpath purl fields. See the + `purl specification `_ for more details. ) + - ``details`` (boolean) = Display all details about the packages provided + - ``ignore_qualifiers_subpath`` (boolean) = Ignore qualifiers/subpaths + - ``max_advisories`` (integer) = Maximum advisories to return + - ``reachability`` (boolean) = Display details about reachability + (introduced_in_patches and fixed_in_patches) + - Return a list of vulnerable packages + * - POST ``/api/v3/advisories/`` - - - ``cpe`` (string) = value of the cpe - - ``page`` (integer) = page number of the response - - ``page_size`` (integer) = number of cpes in each page - - Return a list of vulnerabilities - * - ``/api/cpes/bulk_search`` - - Refer to CPE bulk search section :ref:`CPE Bulk Search` - - Return a list of cpes - * - ``/api/aliases`` + - ``purls`` (array of strings) = list of package urls + - Returns a list of advisories related to the provided packages + * - GET ``/api/v3/affected-by-advisories/`` - - - ``alias`` (string) = value of the alias - - ``page`` (integer) = page number of the response - - ``page_size`` (integer) = number of aliases in each page - - Return a list of vulnerabilities - -.. list-table:: Table for other API endpoints - :widths: 30 40 30 - :header-rows: 1 - - * - Endpoint - - Query Parameters - - Expected Output - * - ``/api/packages/{id}`` + - ``page`` (string) = A page number within the paginated result set. + - ``page_size`` (integer) = Number of results to return per page. + - ``search`` (string) = A search term. + - Returns a paginated list of advisories vulnerabilities that affect given packages. + * - GET ``/api/v3/affected-by-advisories/{id}/`` - - - ``id`` (integer) = internal primary id of the package - - Return a package with the given id - * - ``/api/packages/all`` - - No parameter required - - Return a list of all vulnerable packages - * - ``/api/vulnerabilities/{id}`` + - ``id`` (string) = A unique integer value identifying this advisory v2. + - Returns a specific advisory that affect a given package. + * - GET ``/api/v3/fixing-advisories/`` - - - ``id`` (integer) = internal primary id of the vulnerability - - Return a vulnerability with the given id - * - ``/api/aliases/{id}`` + - ``page`` (integer) = A page number within the paginated result set. + - ``page_size`` (integer) = Number of results to return per page. + - ``search`` (string) = A search term. + - Return a paginated list of advisories that fix a given package. + * - GET ``/api/v3/fixing-advisories/{id}/`` - - - ``id`` (integer) = internal primary id of the alias - - Return an alias with the given id - * - ``/api/cpes/{id}`` + - ``id`` (string) = A unique integer value identifying this advisory v2. + - Returns a specific advisory that fix a given package. + * - GET ``/api/v3/package-types/`` - - - ``id`` = internal primary id of the cpe - - Return a cpe with the given id + - Return a list of to all the packages types in the database. Miscellaneous ---------------- diff --git a/docs/source/images/pkg_details.png b/docs/source/images/pkg_details.png index f1df78302..38bf1b3dd 100644 Binary files a/docs/source/images/pkg_details.png and b/docs/source/images/pkg_details.png differ diff --git a/docs/source/images/pkg_search.png b/docs/source/images/pkg_search.png index b152eaeaf..ad14f5d91 100644 Binary files a/docs/source/images/pkg_search.png and b/docs/source/images/pkg_search.png differ diff --git a/docs/source/images/vcio-db-admin-2023-11-27-01.png b/docs/source/images/vcio-db-admin-2023-11-27-01.png deleted file mode 100644 index 4afdc8cea..000000000 Binary files a/docs/source/images/vcio-db-admin-2023-11-27-01.png and /dev/null differ diff --git a/docs/source/images/vcio-db-application-2023-11-27-01.png b/docs/source/images/vcio-db-application-2023-11-27-01.png deleted file mode 100644 index 975dbe116..000000000 Binary files a/docs/source/images/vcio-db-application-2023-11-27-01.png and /dev/null differ diff --git a/docs/source/images/vcio-model.svg b/docs/source/images/vcio-model.svg new file mode 100644 index 000000000..fa9462031 --- /dev/null +++ b/docs/source/images/vcio-model.svg @@ -0,0 +1,3262 @@ + + +model_graph + + +cluster_vulnerabilities + +           +           +vulnerabilities +           +           + + +cluster_django_contrib_auth + +           +           +django.contrib.auth +           +           + + +cluster_django_contrib_contenttypes + +           +           +django.contrib.contenttypes +           +           + + +cluster_django_contrib_sessions + +           +           +django.contrib.sessions +           +           + + +cluster_django_contrib_admin + +           +           +django.contrib.admin +           +           + + +cluster_rest_framework_authtoken + +           +           +rest_framework.authtoken +           +           + + +cluster_django_rq + +           +           +django_rq +           +           + + + +vulnerabilities_models_CodeChange + + +       +      CodeChange       +       +base_package_version +       +       +ForeignKey (None) +       +       +commits +       +       +JSONField +       +       +created_at +       +       +DateTimeField +       +       +downloads +       +       +JSONField +       +       +is_reviewed +       +       +BooleanField +       +       +notes +       +       +TextField +       +       +patch +       +       +TextField +       +       +pulls +       +       +JSONField +       +       +references +       +       +JSONField +       +       +updated_at +       +       +DateTimeField +       + + + + +vulnerabilities_models_Package + + +       +      Package +< +PackageURLMixin +>       +       +id +       +       +AutoField +       +       +is_ghost +       +       +BooleanField +       +       +name +       +       +CharField +       +       +namespace +       +       +CharField +       +       +package_url +       +       +CharField +       +       +plain_package_url +       +       +CharField +       +       +qualifiers +       +       +CharField +       +       +risk_score +       +       +DecimalField +       +       +subpath +       +       +CharField +       +       +type +       +       +CharField +       +       +version +       +       +CharField +       +       +version_rank +       +       +IntegerField +       + + + + +vulnerabilities_models_CodeChange->vulnerabilities_models_Package + + + base_package_version (codechanges) + + + +vulnerabilities_models_ChangeLog + + +       +      ChangeLog       +       +action_time +       +       +DateTimeField +       +       +action_type +       +       +PositiveSmallIntegerField +       +       +actor_name +       +       +CharField +       +       +software_version +       +       +CharField +       +       +source_url +       +       +URLField +       + + + + +vulnerabilities_models_PackageRelatedVulnerabilityBase + + +       +      PackageRelatedVulnerabilityBase       +       +package +       +       +ForeignKey (id) +       +       +vulnerability +       +       +ForeignKey (id) +       +       +confidence +       +       +PositiveIntegerField +       +       +created_by +       +       +CharField +       + + + + +vulnerabilities_models_Vulnerability + + +       +      Vulnerability       +       +id +       +       +AutoField +       +       +exploitability +       +       +DecimalField +       +       +status +       +       +IntegerField +       +       +summary +       +       +TextField +       +       +vulnerability_id +       +       +CharField +       +       +weighted_severity +       +       +DecimalField +       + + + + +vulnerabilities_models_PackageRelatedVulnerabilityBase->vulnerabilities_models_Vulnerability + + + vulnerability (packagerelatedvulnerabilitybase) + + + +vulnerabilities_models_PackageRelatedVulnerabilityBase->vulnerabilities_models_Package + + + package (packagerelatedvulnerabilitybase) + + + +vulnerabilities_models_CodeChangeV2 + + +       +      CodeChangeV2       +       +base_package_version +       +       +ForeignKey (None) +       +       +commits +       +       +JSONField +       +       +created_at +       +       +DateTimeField +       +       +downloads +       +       +JSONField +       +       +is_reviewed +       +       +BooleanField +       +       +notes +       +       +TextField +       +       +patch +       +       +TextField +       +       +pulls +       +       +JSONField +       +       +references +       +       +JSONField +       +       +updated_at +       +       +DateTimeField +       + + + + +vulnerabilities_models_PackageV2 + + +       +      PackageV2 +< +PackageURLMixin +>       +       +id +       +       +AutoField +       +       +is_ghost +       +       +BooleanField +       +       +name +       +       +CharField +       +       +namespace +       +       +CharField +       +       +package_url +       +       +CharField +       +       +plain_package_url +       +       +CharField +       +       +qualifiers +       +       +CharField +       +       +risk_score +       +       +DecimalField +       +       +subpath +       +       +CharField +       +       +type +       +       +CharField +       +       +version +       +       +CharField +       +       +version_rank +       +       +IntegerField +       + + + + +vulnerabilities_models_CodeChangeV2->vulnerabilities_models_PackageV2 + + + base_package_version (codechanges_v2) + + + +packageurl_contrib_django_models_PackageURLMixin + + +       +      PackageURLMixin       +       +name +       +       +CharField +       +       +namespace +       +       +CharField +       +       +qualifiers +       +       +CharField +       +       +subpath +       +       +CharField +       +       +type +       +       +CharField +       +       +version +       +       +CharField +       + + + + +vulnerabilities_models_VulnerabilitySeverity + + +       +      VulnerabilitySeverity       +       +id +       +       +AutoField +       +       +published_at +       +       +DateTimeField +       +       +scoring_elements +       +       +CharField +       +       +scoring_system +       +       +CharField +       +       +url +       +       +URLField +       +       +value +       +       +CharField +       + + + + +vulnerabilities_models_Vulnerability->vulnerabilities_models_VulnerabilitySeverity + + + + severities (vulnerabilities) + + + +vulnerabilities_models_Weakness + + +       +      Weakness       +       +id +       +       +AutoField +       +       +cwe_id +       +       +IntegerField +       + + + + +vulnerabilities_models_Weakness->vulnerabilities_models_Vulnerability + + + + vulnerabilities (weaknesses) + + + +vulnerabilities_models_VulnerabilityReference + + +       +      VulnerabilityReference       +       +id +       +       +AutoField +       +       +reference_id +       +       +CharField +       +       +reference_type +       +       +CharField +       +       +url +       +       +URLField +       + + + + +vulnerabilities_models_VulnerabilityRelatedReference + + +       +      VulnerabilityRelatedReference       +       +id +       +       +AutoField +       +       +reference +       +       +ForeignKey (id) +       +       +vulnerability +       +       +ForeignKey (id) +       + + + + +vulnerabilities_models_VulnerabilityRelatedReference->vulnerabilities_models_Vulnerability + + + vulnerability (vulnerabilityrelatedreference) + + + +vulnerabilities_models_VulnerabilityRelatedReference->vulnerabilities_models_VulnerabilityReference + + + reference (vulnerabilityrelatedreference) + + + +vulnerabilities_models_Package->packageurl_contrib_django_models_PackageURLMixin + + + abstract +inheritance + + + +vulnerabilities_models_FixingPackageRelatedVulnerability + + +       +      FixingPackageRelatedVulnerability +< +PackageRelatedVulnerabilityBase +>       +       +id +       +       +AutoField +       +       +package +       +       +ForeignKey (id) +       +       +vulnerability +       +       +ForeignKey (id) +       +       +confidence +       +       +PositiveIntegerField +       +       +created_by +       +       +CharField +       + + + + +vulnerabilities_models_FixingPackageRelatedVulnerability->vulnerabilities_models_PackageRelatedVulnerabilityBase + + + abstract +inheritance + + + +vulnerabilities_models_FixingPackageRelatedVulnerability->vulnerabilities_models_Vulnerability + + + vulnerability (fixingpackagerelatedvulnerability) + + + +vulnerabilities_models_FixingPackageRelatedVulnerability->vulnerabilities_models_Package + + + package (fixingpackagerelatedvulnerability) + + + +vulnerabilities_models_AffectedByPackageRelatedVulnerability + + +       +      AffectedByPackageRelatedVulnerability +< +PackageRelatedVulnerabilityBase +>       +       +id +       +       +AutoField +       +       +package +       +       +ForeignKey (id) +       +       +vulnerability +       +       +ForeignKey (id) +       +       +confidence +       +       +PositiveIntegerField +       +       +created_by +       +       +CharField +       + + + + +vulnerabilities_models_AffectedByPackageRelatedVulnerability->vulnerabilities_models_PackageRelatedVulnerabilityBase + + + abstract +inheritance + + + +vulnerabilities_models_AffectedByPackageRelatedVulnerability->vulnerabilities_models_VulnerabilitySeverity + + + + severities (affected_package_vulnerability_relations) + + + +vulnerabilities_models_AffectedByPackageRelatedVulnerability->vulnerabilities_models_Vulnerability + + + vulnerability (affectedbypackagerelatedvulnerability) + + + +vulnerabilities_models_AffectedByPackageRelatedVulnerability->vulnerabilities_models_Package + + + package (affectedbypackagerelatedvulnerability) + + + +vulnerabilities_models_Alias + + +       +      Alias       +       +id +       +       +AutoField +       +       +vulnerability +       +       +ForeignKey (id) +       +       +alias +       +       +CharField +       + + + + +vulnerabilities_models_Alias->vulnerabilities_models_Vulnerability + + + vulnerability (aliases) + + + +vulnerabilities_models_Advisory + + +       +      Advisory       +       +id +       +       +AutoField +       +       +affected_packages +       +       +JSONField +       +       +created_by +       +       +CharField +       +       +date_collected +       +       +DateTimeField +       +       +date_imported +       +       +DateTimeField +       +       +date_published +       +       +DateTimeField +       +       +references +       +       +JSONField +       +       +summary +       +       +TextField +       +       +unique_content_id +       +       +CharField +       +       +url +       +       +URLField +       +       +weaknesses +       +       +JSONField +       + + + + +vulnerabilities_models_AdvisoryRelatedAlias + + +       +      AdvisoryRelatedAlias       +       +id +       +       +AutoField +       +       +advisory +       +       +ForeignKey (id) +       +       +alias +       +       +ForeignKey (id) +       + + + + +vulnerabilities_models_AdvisoryRelatedAlias->vulnerabilities_models_Alias + + + alias (advisoryrelatedalias) + + + +vulnerabilities_models_AdvisoryRelatedAlias->vulnerabilities_models_Advisory + + + advisory (advisoryrelatedalias) + + + +vulnerabilities_models_ApiUser + + +       +      ApiUser       + + + + +django_contrib_auth_models_User + + +       +      User +< +AbstractUser +>       +       +id +       +       +AutoField +       +       +date_joined +       +       +DateTimeField +       +       +email +       +       +EmailField +       +       +first_name +       +       +CharField +       +       +is_active +       +       +BooleanField +       +       +is_staff +       +       +BooleanField +       +       +is_superuser +       +       +BooleanField +       +       +last_login +       +       +DateTimeField +       +       +last_name +       +       +CharField +       +       +password +       +       +CharField +       +       +username +       +       +CharField +       + + + + +vulnerabilities_models_ApiUser->django_contrib_auth_models_User + + + proxy +inheritance + + + +vulnerabilities_models_VulnerabilityChangeLog + + +       +      VulnerabilityChangeLog +< +ChangeLog +>       +       +id +       +       +AutoField +       +       +vulnerability +       +       +ForeignKey (id) +       +       +action_time +       +       +DateTimeField +       +       +action_type +       +       +PositiveSmallIntegerField +       +       +actor_name +       +       +CharField +       +       +software_version +       +       +CharField +       +       +source_url +       +       +URLField +       + + + + +vulnerabilities_models_VulnerabilityChangeLog->vulnerabilities_models_ChangeLog + + + abstract +inheritance + + + +vulnerabilities_models_VulnerabilityChangeLog->vulnerabilities_models_Vulnerability + + + vulnerability (changelog) + + + +vulnerabilities_models_PackageChangeLog + + +       +      PackageChangeLog +< +ChangeLog +>       +       +id +       +       +AutoField +       +       +package +       +       +ForeignKey (id) +       +       +action_time +       +       +DateTimeField +       +       +action_type +       +       +PositiveSmallIntegerField +       +       +actor_name +       +       +CharField +       +       +related_vulnerability +       +       +CharField +       +       +software_version +       +       +CharField +       +       +source_url +       +       +URLField +       + + + + +vulnerabilities_models_PackageChangeLog->vulnerabilities_models_ChangeLog + + + abstract +inheritance + + + +vulnerabilities_models_PackageChangeLog->vulnerabilities_models_Package + + + package (changelog) + + + +vulnerabilities_models_Exploit + + +       +      Exploit       +       +id +       +       +AutoField +       +       +vulnerability +       +       +ForeignKey (id) +       +       +data_source +       +       +TextField +       +       +date_added +       +       +DateField +       +       +description +       +       +TextField +       +       +due_date +       +       +DateField +       +       +exploit_type +       +       +TextField +       +       +known_ransomware_campaign_use +       +       +BooleanField +       +       +notes +       +       +TextField +       +       +platform +       +       +TextField +       +       +required_action +       +       +TextField +       +       +source_date_published +       +       +DateField +       +       +source_date_updated +       +       +DateField +       +       +source_url +       +       +URLField +       + + + + +vulnerabilities_models_Exploit->vulnerabilities_models_Vulnerability + + + vulnerability (exploits) + + + +vulnerabilities_models_CodeFix + + +       +      CodeFix +< +CodeChange +>       +       +id +       +       +AutoField +       +       +affected_package_vulnerability +       +       +ForeignKey (id) +       +       +base_package_version +       +       +ForeignKey (id) +       +       +fixed_package_vulnerability +       +       +ForeignKey (id) +       +       +commits +       +       +JSONField +       +       +created_at +       +       +DateTimeField +       +       +downloads +       +       +JSONField +       +       +is_reviewed +       +       +BooleanField +       +       +notes +       +       +TextField +       +       +patch +       +       +TextField +       +       +pulls +       +       +JSONField +       +       +references +       +       +JSONField +       +       +updated_at +       +       +DateTimeField +       + + + + +vulnerabilities_models_CodeFix->vulnerabilities_models_CodeChange + + + abstract +inheritance + + + +vulnerabilities_models_CodeFix->vulnerabilities_models_Package + + + base_package_version (codechanges) + + + +vulnerabilities_models_CodeFix->vulnerabilities_models_FixingPackageRelatedVulnerability + + + fixed_package_vulnerability (code_fix) + + + +vulnerabilities_models_CodeFix->vulnerabilities_models_AffectedByPackageRelatedVulnerability + + + affected_package_vulnerability (code_fix) + + + +vulnerabilities_models_CodeFixV2 + + +       +      CodeFixV2 +< +CodeChangeV2 +>       +       +id +       +       +AutoField +       +       +advisory +       +       +ForeignKey (id) +       +       +affected_package +       +       +ForeignKey (id) +       +       +base_package_version +       +       +ForeignKey (id) +       +       +fixed_package +       +       +ForeignKey (id) +       +       +commits +       +       +JSONField +       +       +created_at +       +       +DateTimeField +       +       +downloads +       +       +JSONField +       +       +is_reviewed +       +       +BooleanField +       +       +notes +       +       +TextField +       +       +patch +       +       +TextField +       +       +pulls +       +       +JSONField +       +       +references +       +       +JSONField +       +       +updated_at +       +       +DateTimeField +       + + + + +vulnerabilities_models_CodeFixV2->vulnerabilities_models_CodeChangeV2 + + + abstract +inheritance + + + +vulnerabilities_models_AdvisoryV2 + + +       +      AdvisoryV2       +       +id +       +       +AutoField +       +       +_all_impacts_unfurled_at +       +       +DateTimeField +       +       +_all_impacts_unfurled_successfully_at +       +       +DateTimeField +       +       +advisory_id +       +       +CharField +       +       +avid +       +       +CharField +       +       +datasource_id +       +       +CharField +       +       +date_collected +       +       +DateTimeField +       +       +date_published +       +       +DateTimeField +       +       +exploitability +       +       +DecimalField +       +       +is_latest +       +       +BooleanField +       +       +original_advisory_text +       +       +TextField +       +       +pipeline_id +       +       +CharField +       +       +precedence +       +       +IntegerField +       +       +risk_score +       +       +DecimalField +       +       +status +       +       +IntegerField +       +       +summary +       +       +TextField +       +       +unique_content_id +       +       +CharField +       +       +url +       +       +URLField +       +       +weighted_severity +       +       +DecimalField +       + + + + +vulnerabilities_models_CodeFixV2->vulnerabilities_models_AdvisoryV2 + + + advisory (code_fix_v2) + + + +vulnerabilities_models_CodeFixV2->vulnerabilities_models_PackageV2 + + + base_package_version (codechanges_v2) + + + +vulnerabilities_models_CodeFixV2->vulnerabilities_models_PackageV2 + + + affected_package (code_fix_v2_affected) + + + +vulnerabilities_models_CodeFixV2->vulnerabilities_models_PackageV2 + + + fixed_package (code_fix_v2_fixed) + + + +vulnerabilities_models_PipelineRun + + +       +      PipelineRun       +       +run_id +       +       +UUIDField +       +       +pipeline +       +       +ForeignKey (id) +       +       +created_date +       +       +DateTimeField +       +       +log +       +       +TextField +       +       +run_end_date +       +       +DateTimeField +       +       +run_exitcode +       +       +IntegerField +       +       +run_output +       +       +TextField +       +       +run_start_date +       +       +DateTimeField +       +       +vulnerablecode_commit +       +       +CharField +       +       +vulnerablecode_version +       +       +CharField +       + + + + +vulnerabilities_models_PipelineSchedule + + +       +      PipelineSchedule       +       +id +       +       +AutoField +       +       +created_date +       +       +DateTimeField +       +       +execution_timeout +       +       +PositiveSmallIntegerField +       +       +is_active +       +       +BooleanField +       +       +is_run_once +       +       +BooleanField +       +       +live_logging +       +       +BooleanField +       +       +pipeline_id +       +       +CharField +       +       +run_interval +       +       +IntegerField +       +       +run_priority +       +       +IntegerField +       +       +schedule_work_id +       +       +CharField +       + + + + +vulnerabilities_models_PipelineRun->vulnerabilities_models_PipelineSchedule + + + pipeline (pipelineruns) + + + +vulnerabilities_models_AdvisoryToDo + + +       +      AdvisoryToDo       +       +id +       +       +AutoField +       +       +created_at +       +       +DateTimeField +       +       +is_resolved +       +       +BooleanField +       +       +issue_detail +       +       +TextField +       +       +issue_type +       +       +CharField +       +       +related_advisories_id +       +       +CharField +       +       +resolution_detail +       +       +TextField +       +       +resolved_at +       +       +DateTimeField +       + + + + +vulnerabilities_models_AdvisoryToDoV2 + + +       +      AdvisoryToDoV2       +       +todo_id +       +       +UUIDField +       +       +advisories_count +       +       +IntegerField +       +       +alias +       +       +CharField +       +       +created_at +       +       +DateTimeField +       +       +is_resolved +       +       +BooleanField +       +       +is_todo_stale +       +       +BooleanField +       +       +issue_detail +       +       +JSONField +       +       +issue_type +       +       +CharField +       +       +oldest_advisory_date +       +       +DateTimeField +       +       +related_advisories_id +       +       +CharField +       +       +resolution_detail +       +       +TextField +       +       +resolved_at +       +       +DateTimeField +       + + + + +vulnerabilities_models_AdvisorySeverity + + +       +      AdvisorySeverity       +       +id +       +       +AutoField +       +       +published_at +       +       +DateTimeField +       +       +scoring_elements +       +       +CharField +       +       +scoring_system +       +       +CharField +       +       +url +       +       +URLField +       +       +value +       +       +CharField +       + + + + +vulnerabilities_models_AdvisoryWeakness + + +       +      AdvisoryWeakness       +       +id +       +       +AutoField +       +       +cwe_id +       +       +IntegerField +       + + + + +vulnerabilities_models_AdvisoryReference + + +       +      AdvisoryReference       +       +id +       +       +AutoField +       +       +archive_url +       +       +URLField +       +       +reference_id +       +       +CharField +       +       +reference_type +       +       +CharField +       +       +url +       +       +URLField +       + + + + +vulnerabilities_models_AdvisoryAlias + + +       +      AdvisoryAlias       +       +id +       +       +AutoField +       +       +alias +       +       +CharField +       + + + + +vulnerabilities_models_Patch + + +       +      Patch       +       +id +       +       +AutoField +       +       +patch_checksum +       +       +CharField +       +       +patch_text +       +       +TextField +       +       +patch_url +       +       +URLField +       + + + + +vulnerabilities_models_PackageCommitPatch + + +       +      PackageCommitPatch       +       +id +       +       +AutoField +       +       +commit_hash +       +       +CharField +       +       +patch_checksum +       +       +CharField +       +       +patch_text +       +       +TextField +       +       +vcs_url +       +       +URLField +       + + + + +vulnerabilities_models_AdvisorySet + + +       +      AdvisorySet       +       +id +       +       +AutoField +       +       +package +       +       +ForeignKey (id) +       +       +primary_advisory +       +       +ForeignKey (id) +       +       +created_at +       +       +DateTimeField +       +       +relation_type +       +       +CharField +       + + + + +vulnerabilities_models_AdvisorySet->vulnerabilities_models_AdvisoryAlias + + + + aliases (advisory_sets) + + + +vulnerabilities_models_AdvisorySet->vulnerabilities_models_AdvisoryV2 + + + primary_advisory (advisoryset) + + + +vulnerabilities_models_AdvisorySet->vulnerabilities_models_PackageV2 + + + package (advisoryset) + + + +vulnerabilities_models_AdvisorySetMember + + +       +      AdvisorySetMember       +       +id +       +       +AutoField +       +       +advisory +       +       +ForeignKey (id) +       +       +advisory_set +       +       +ForeignKey (id) +       +       +is_primary +       +       +BooleanField +       + + + + +vulnerabilities_models_AdvisorySetMember->vulnerabilities_models_AdvisorySet + + + advisory_set (members) + + + +vulnerabilities_models_AdvisorySetMember->vulnerabilities_models_AdvisoryV2 + + + advisory (advisorysetmember) + + + +vulnerabilities_models_AdvisoryV2->vulnerabilities_models_AdvisorySeverity + + + + severities (advisories) + + + +vulnerabilities_models_AdvisoryV2->vulnerabilities_models_AdvisoryWeakness + + + + weaknesses (advisories) + + + +vulnerabilities_models_AdvisoryV2->vulnerabilities_models_AdvisoryReference + + + + references (advisories) + + + +vulnerabilities_models_AdvisoryV2->vulnerabilities_models_AdvisoryAlias + + + + aliases (advisories) + + + +vulnerabilities_models_AdvisoryV2->vulnerabilities_models_Patch + + + + patches (advisories) + + + +vulnerabilities_models_AdvisoryV2->vulnerabilities_models_AdvisoryV2 + + + + related_advisory_severities (related_to_advisory_severities) + + + +vulnerabilities_models_ImpactedPackage + + +       +      ImpactedPackage       +       +id +       +       +AutoField +       +       +advisory +       +       +ForeignKey (id) +       +       +affecting_vers +       +       +TextField +       +       +base_purl +       +       +CharField +       +       +created_at +       +       +DateTimeField +       +       +fixed_vers +       +       +TextField +       +       +last_range_unfurl_at +       +       +DateTimeField +       +       +last_successful_range_unfurl_at +       +       +DateTimeField +       + + + + +vulnerabilities_models_ImpactedPackage->vulnerabilities_models_PackageCommitPatch + + + + introduced_by_package_commit_patches (introduced_in_impacts) + + + +vulnerabilities_models_ImpactedPackage->vulnerabilities_models_PackageCommitPatch + + + + fixed_by_package_commit_patches (fixed_in_impacts) + + + +vulnerabilities_models_ImpactedPackage->vulnerabilities_models_AdvisoryV2 + + + advisory (impacted_packages) + + + +vulnerabilities_models_ToDoRelatedAdvisory + + +       +      ToDoRelatedAdvisory       +       +id +       +       +AutoField +       +       +advisory +       +       +ForeignKey (id) +       +       +todo +       +       +ForeignKey (id) +       + + + + +vulnerabilities_models_ToDoRelatedAdvisory->vulnerabilities_models_Advisory + + + advisory (todorelatedadvisory) + + + +vulnerabilities_models_ToDoRelatedAdvisory->vulnerabilities_models_AdvisoryToDo + + + todo (todorelatedadvisory) + + + +vulnerabilities_models_ToDoRelatedAdvisoryV2 + + +       +      ToDoRelatedAdvisoryV2       +       +id +       +       +AutoField +       +       +advisory +       +       +ForeignKey (id) +       +       +todo +       +       +ForeignKey (todo_id) +       + + + + +vulnerabilities_models_ToDoRelatedAdvisoryV2->vulnerabilities_models_AdvisoryToDoV2 + + + todo (todorelatedadvisoryv2) + + + +vulnerabilities_models_ToDoRelatedAdvisoryV2->vulnerabilities_models_AdvisoryV2 + + + advisory (todorelatedadvisoryv2) + + + +vulnerabilities_models_PackageV2->packageurl_contrib_django_models_PackageURLMixin + + + abstract +inheritance + + + +vulnerabilities_models_ImpactedPackageAffecting + + +       +      ImpactedPackageAffecting       +       +id +       +       +AutoField +       +       +impacted_package +       +       +ForeignKey (id) +       +       +package +       +       +ForeignKey (id) +       +       +created_at +       +       +DateTimeField +       + + + + +vulnerabilities_models_ImpactedPackageAffecting->vulnerabilities_models_ImpactedPackage + + + impacted_package (impactedpackageaffecting) + + + +vulnerabilities_models_ImpactedPackageAffecting->vulnerabilities_models_PackageV2 + + + package (impactedpackageaffecting) + + + +vulnerabilities_models_ImpactedPackageFixedBy + + +       +      ImpactedPackageFixedBy       +       +id +       +       +AutoField +       +       +impacted_package +       +       +ForeignKey (id) +       +       +package +       +       +ForeignKey (id) +       +       +created_at +       +       +DateTimeField +       + + + + +vulnerabilities_models_ImpactedPackageFixedBy->vulnerabilities_models_ImpactedPackage + + + impacted_package (impactedpackagefixedby) + + + +vulnerabilities_models_ImpactedPackageFixedBy->vulnerabilities_models_PackageV2 + + + package (impactedpackagefixedby) + + + +vulnerabilities_models_AdvisoryExploit + + +       +      AdvisoryExploit       +       +id +       +       +AutoField +       +       +advisory +       +       +ForeignKey (id) +       +       +data_source +       +       +TextField +       +       +date_added +       +       +DateField +       +       +description +       +       +TextField +       +       +due_date +       +       +DateField +       +       +exploit_type +       +       +TextField +       +       +known_ransomware_campaign_use +       +       +BooleanField +       +       +notes +       +       +TextField +       +       +platform +       +       +TextField +       +       +record_id +       +       +CharField +       +       +required_action +       +       +TextField +       +       +source_date_published +       +       +DateField +       +       +source_date_updated +       +       +DateField +       +       +source_url +       +       +URLField +       + + + + +vulnerabilities_models_AdvisoryExploit->vulnerabilities_models_AdvisoryV2 + + + advisory (exploits) + + + +vulnerabilities_models_SSVC + + +       +      SSVC       +       +id +       +       +AutoField +       +       +source_advisory +       +       +ForeignKey (id) +       +       +decision +       +       +CharField +       +       +options +       +       +JSONField +       +       +vector +       +       +CharField +       + + + + +vulnerabilities_models_SSVC->vulnerabilities_models_AdvisoryV2 + + + source_advisory (source_ssvcs) + + + +vulnerabilities_models_SSVC->vulnerabilities_models_AdvisoryV2 + + + + related_advisories (related_ssvcs) + + + +vulnerabilities_models_AdvisoryPOC + + +       +      AdvisoryPOC       +       +id +       +       +AutoField +       +       +advisory +       +       +ForeignKey (id) +       +       +created_at +       +       +DateTimeField +       +       +is_confirmed +       +       +BooleanField +       +       +updated_at +       +       +DateTimeField +       +       +url +       +       +URLField +       + + + + +vulnerabilities_models_AdvisoryPOC->vulnerabilities_models_AdvisoryV2 + + + advisory (pocs) + + + +django_contrib_auth_models_AbstractUser + + +       +      AbstractUser +< +AbstractBaseUser,PermissionsMixin +>       +       +date_joined +       +       +DateTimeField +       +       +email +       +       +EmailField +       +       +first_name +       +       +CharField +       +       +is_active +       +       +BooleanField +       +       +is_staff +       +       +BooleanField +       +       +is_superuser +       +       +BooleanField +       +       +last_login +       +       +DateTimeField +       +       +last_name +       +       +CharField +       +       +password +       +       +CharField +       +       +username +       +       +CharField +       + + + + +django_contrib_auth_base_user_AbstractBaseUser + + +   +AbstractBaseUser +   + + + +django_contrib_auth_models_AbstractUser->django_contrib_auth_base_user_AbstractBaseUser + + + abstract +inheritance + + + +django_contrib_auth_models_PermissionsMixin + + +   +PermissionsMixin +   + + + +django_contrib_auth_models_AbstractUser->django_contrib_auth_models_PermissionsMixin + + + abstract +inheritance + + + +django_contrib_auth_models_Permission + + +       +      Permission       +       +id +       +       +AutoField +       +       +content_type +       +       +ForeignKey (id) +       +       +codename +       +       +CharField +       +       +name +       +       +CharField +       + + + + +django_contrib_contenttypes_models_ContentType + + +       +      ContentType       +       +id +       +       +AutoField +       +       +app_label +       +       +CharField +       +       +model +       +       +CharField +       + + + + +django_contrib_auth_models_Permission->django_contrib_contenttypes_models_ContentType + + + content_type (permission) + + + +django_contrib_auth_models_Group + + +       +      Group       +       +id +       +       +AutoField +       +       +name +       +       +CharField +       + + + + +django_contrib_auth_models_Group->django_contrib_auth_models_Permission + + + + permissions (group) + + + +django_contrib_auth_models_User->django_contrib_auth_models_AbstractUser + + + abstract +inheritance + + + +django_contrib_auth_models_User->django_contrib_auth_models_Permission + + + + user_permissions (user) + + + +django_contrib_auth_models_User->django_contrib_auth_models_Group + + + + groups (user) + + + +django_contrib_sessions_base_session_AbstractBaseSession + + +       +      AbstractBaseSession       +       +expire_date +       +       +DateTimeField +       +       +session_data +       +       +TextField +       + + + + +django_contrib_sessions_models_Session + + +       +      Session +< +AbstractBaseSession +>       +       +session_key +       +       +CharField +       +       +expire_date +       +       +DateTimeField +       +       +session_data +       +       +TextField +       + + + + +django_contrib_sessions_models_Session->django_contrib_sessions_base_session_AbstractBaseSession + + + abstract +inheritance + + + +django_contrib_admin_models_LogEntry + + +       +      LogEntry       +       +id +       +       +AutoField +       +       +content_type +       +       +ForeignKey (id) +       +       +user +       +       +ForeignKey (id) +       +       +action_flag +       +       +PositiveSmallIntegerField +       +       +action_time +       +       +DateTimeField +       +       +change_message +       +       +TextField +       +       +object_id +       +       +TextField +       +       +object_repr +       +       +CharField +       + + + + +django_contrib_admin_models_LogEntry->django_contrib_auth_models_User + + + user (logentry) + + + +django_contrib_admin_models_LogEntry->django_contrib_contenttypes_models_ContentType + + + content_type (logentry) + + + +rest_framework_authtoken_models_Token + + +       +      Token       +       +key +       +       +CharField +       +       +user +       +       +OneToOneField (id) +       +       +created +       +       +DateTimeField +       + + + + +rest_framework_authtoken_models_Token->django_contrib_auth_models_User + + user (auth_token) + + + +rest_framework_authtoken_models_TokenProxy + + +       +      TokenProxy       + + + + +rest_framework_authtoken_models_TokenProxy->rest_framework_authtoken_models_Token + + + proxy +inheritance + + + +django_rq_models_Queue + + +       +      Queue       +       +id +       +       +AutoField +       + + + + \ No newline at end of file diff --git a/docs/source/index.rst b/docs/source/index.rst index ae14b267f..dbfb61c49 100644 --- a/docs/source/index.rst +++ b/docs/source/index.rst @@ -30,7 +30,6 @@ command-line-interface importers_link PIPELINES-AVID - SOURCES .. toctree:: :hidden: @@ -47,10 +46,10 @@ VulnerableCode Documentation *VulnerableCode* provides a Web UI and API to access a database of known software package vulnerabilities with comprehensive information from upstream and downstream public -sources including packages affected by a vulnerability and packages that fix a -vulnerability. +sources including packages affected by a vulnerability advisories and packages that fix a +vulnerability advisory. -There is a `public VulnerableCode database `_ +There is a `public vulnerableCode database `_ and the project also provides the tools to build your own instance of the database. Documentation overview @@ -99,8 +98,7 @@ Reference documentation for VulnerableCode features and customizations. - :ref:`reference_model_overview` - :ref:`command_line_interface` - :ref:`importers_link` -- :ref:`pipelines_avid` -- :ref:`sources` +- :ref:`pipeline_avid_mapping` .. rst-class:: column column2 bottom-right diff --git a/docs/source/introduction.rst b/docs/source/introduction.rst index 5143343a6..00b5d7fc3 100644 --- a/docs/source/introduction.rst +++ b/docs/source/introduction.rst @@ -18,19 +18,17 @@ What can I do with VulnerableCode? **For security researchers and software developers, VulnerableCode offers a web UI and a JSON API to efficiently find if the FOSS packages and dependencies that -you use are affected by known vulnerabilities and to determine whether a later package version -fixes those vulnerabilities.** +you use are affected by known vulnerabilities advisories and to determine whether +a later package version fixes those vulnerabilities advisories.** -- With the web UI, you can search by package using Package URLs or search by - vulnerability, e.g., by CVE. From there you can navigate to the package - vulnerabilities and to the vulnerable packages. +- With the web UI, you can search by package using + Package URLs and navigate directly to advisory/AVID page - With the JSON API, you can perform package queries using Package URLs (`purl `__) or query - by vulnerability id ("VCID"). You can also query by CPEs and other vulnerability aliases. - The API provides paginated index and detail endpoints and includes indexes - of vulnerable CPEs and vulnerable Package URLs. + by advisory/AVID. + For comprehensive details, see the :ref:`api` section. You can install VulnerableCode locally or use the provided publicly hosted instance, or host your own installation. You can contact the VulnerableCode team @@ -41,9 +39,9 @@ Why VulnerableCode? ------------------- VulnerableCode provides open correlated data and will support curated -data. Our approach is to prioritize upstream data sources and to merge multiple -vulnerability data sources after comparison and correlation. The vulnerability -data is keyed by Package URL ensuring quick and accurate lookup with minimal +data. Our approach is to prioritize upstream data sources and to group multiple +vulnerability advisory data sources after comparison and correlation. The vulnerability +advisory data is keyed by Package URL ensuring quick and accurate lookup with minimal friction. We continuously validate and refine the collected data for quality, accuracy and consistency using "improver" jobs. An example is an improver that can validate that a package version reported as diff --git a/docs/source/reference_framework_overview.rst b/docs/source/reference_framework_overview.rst index 1b2719172..92a8a524d 100644 --- a/docs/source/reference_framework_overview.rst +++ b/docs/source/reference_framework_overview.rst @@ -9,11 +9,11 @@ Framework Overview ┌──────────────────────┐ │ │ ┌─────────────────────┐ │ │ │ Database │ Has version ranges │ │ │ ├─────────────────────────────►│ in │ │ │ - │ │ │ Advisory │ As true as upstream │ │ + │ │ │ Advisory │ As true as upstream │ │ │ │ │ Model │ │ │ │ │ │ │ │ Frontend │ │ │ ├────────────┘ │ │ - │ Importers │ │ │ │ + │ Importers │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ @@ -25,39 +25,39 @@ Framework Overview │ │ │ │ │ │ - ┌───────────────────────┐ │ │ - │ │ │ │ - │ │◄──────────────────────────┘ ┌──────────────┐ │ - │ │ │Vulnerability │ │ - │ │ │ ID (auto) │ │ - │ Specific │ ├──────────────┤ │ - │ Improvers │ │ │ │ - │ │ │ Aliases │ │ - │ - BasicImproverer ├─────────────────────────────────────────►├──────────────┤ │ - │ │ │ ├─┘ - │ - TimeTravel │ │ Aff pkgs │ - │ │ ├──────────────┤ - │ - ... │ │ │ - │ │ │ Fixed pkgs │ - └───────────────────────┘ ├──────────────┤ - │ ... │ - └──────────────┘ - ▲ - │ - │ - │ - │ - │ - │ - │ - │ - │ - │ - │ - Independent to access any Advisory │ - ┌─────────────────────────┐ Generic to all data │ - │ │ │ - │ │ ───────────────────────────────────────────┘ + ┌──────────────────────────────────┐ │ │ + │ │ │ │ + │ │◄───────────────┘ ┌──────────────────────┐ + │ │ │ Package │ + │ │ │ │ + │ Specific │ ├──────────────────────┤ + │ Improvers │ │ purl │ + │ │ │ Package URL │ + │ - GroupAdvisoriesForPackages ├─────────────────────────────────────────►├──────────────────────┤ + │ - FlagGhostPackagePipeline │ │ Aff by advisories │ + │ - MarkUnfurlVersionRangePipeline │ │ │ + │ - ComputePackageRiskPipeline │ ├──────────────────────┤ + │ - ... │ │ │ + │ │ │ Fixed by advisories │ + └──────────────────────────────────┘ ├──────────────────────┤ + │ ... │ + └──────────────────────┘ + ▲ + │ + │ + │ + │ + │ + │ + │ + │ + │ + │ + │ + Independent to access any Advisory │ + ┌─────────────────────────┐ Generic to all data │ + │ │ │ + │ │ ───────────────────────────────────────────────────────┘ │ Generic Improvers │ │ │ │ - DefaultImprover │ diff --git a/docs/source/reference_importer_overview.rst b/docs/source/reference_importer_overview.rst index 104c7c6ec..04e56dd39 100644 --- a/docs/source/reference_importer_overview.rst +++ b/docs/source/reference_importer_overview.rst @@ -3,10 +3,10 @@ Importer Overview ================== -Importers are responsible for scraping vulnerability data such as vulnerabilities and their fixes +Importers are responsible for scraping advisories data such as advisories and their fixes and for storing the scraped information in a structured fashion. The structured data created by the importer then provides input to an improver (see :ref:`improver-overview`), which is responsible -for creating a relational model for vulnerabilities, affected packages and fixed packages. +for creating a relational model for advisories, affected packages and fixed packages. All importer implementation-related code is defined in :file:`vulnerabilites/importer.py`. diff --git a/docs/source/reference_improver_overview.rst b/docs/source/reference_improver_overview.rst index 4de0ff1c0..417f5d8a2 100644 --- a/docs/source/reference_improver_overview.rst +++ b/docs/source/reference_improver_overview.rst @@ -4,9 +4,9 @@ Improver Overview =================== Improvers improve upon already imported data. They are responsible for creating a relational -model for vulnerabilites and packages. +model for vulnerability advisories and packages. -An Improver is intended to contain data points about a vulnerability and the relevant discrete +An Improver is intended to contain data points about a advisory and the relevant discrete affected and fixed packages (in the form of `PackageURLs `_). There is no notion of version ranges here; all package versions must be explicitly specified. diff --git a/docs/source/reference_model_overview.rst b/docs/source/reference_model_overview.rst index 715b9958c..572f766a8 100644 --- a/docs/source/reference_model_overview.rst +++ b/docs/source/reference_model_overview.rst @@ -3,23 +3,9 @@ Model Overview ================= -This is a set of Graphviz-based graph diagrams of the application and admin models as of 2023-11-27: +This is a set of Graphviz-based graph diagrams of the application and admin models as of 2026-7-10: -Application ------------ - -.. figure:: images/vcio-db-application-2023-11-27-01.png - :alt: alternate text +.. figure:: images/vcio-model.svg + :alt: application and Admin model diagrams :width: 100% - :class: with-shadow - -.. rst-class:: clear-both - - -Admin ------ - -.. figure:: images/vcio-db-admin-2023-11-27-01.png - :alt: alternate text - :width: 70% - :class: with-shadow + :class: with-shadow clear-both diff --git a/docs/source/tutorial_add_importer_pipeline.rst b/docs/source/tutorial_add_importer_pipeline.rst index ff22746b5..3e2e2cdb9 100644 --- a/docs/source/tutorial_add_importer_pipeline.rst +++ b/docs/source/tutorial_add_importer_pipeline.rst @@ -8,7 +8,7 @@ TL;DR ------- #. Create a new file ``{name}_importer.py`` inside **vulnerabilities/pipelines/**. -#. Create a new importer pipeline by inheriting **VulnerableCodeBaseImporterPipeline** +#. Create a new importer pipeline by inheriting **VulnerableCodeBaseImporterPipelineV2** defined in **vulnerabilities.pipelines**. By convention the importer pipeline class should end with **ImporterPipeline**. #. Specify the license of upstream data being imported. @@ -215,7 +215,7 @@ version management from `univers `_. from vulnerabilities.severity_systems import SCORING_SYSTEMS - class ExampleImporterPipeline(VulnerableCodeBaseImporterPipeline): + class ExampleImporterPipeline(VulnerableCodeBaseImporterPipelineV2): """Collect advisories Example.""" pipeline_id = "example_importer" diff --git a/docs/source/user-interface.rst b/docs/source/user-interface.rst index b907ecfd5..98e12182b 100644 --- a/docs/source/user-interface.rst +++ b/docs/source/user-interface.rst @@ -15,12 +15,12 @@ package URL or purl prefix fragment such as The search by packages is available at the following URL: - `https://public.vulnerablecode.io/packages/search/ `_ + `https://public.vulnerablecode.io `_ How to search by packages: - 1. Go to the URL: `https://public.vulnerablecode.io/packages/search/ `_ - 2. Enter the package URL or purl prefix fragment such as ``pkg:pypi`` + 1. Go to the URL: `https://public.vulnerablecode.io/ `_ + 2. Enter the package URL or purl prefix fragment such as ``pkg:pypi/aubio`` or by package name in the search box. 3. Click on the search button. @@ -35,39 +35,12 @@ Click on the package URL to view the package details. .. _vuln-search: -Search by vulnerabilities ---------------------------- +Navigate to Advisories +----------------------- -The search by vulnerabilities is a very powerful feature of -VulnerableCode. It allows you to search for vulnerabilities by the -VCID itself. It also allows you to search for -vulnerabilities by the CVE, GHSA, CPEs etc or by the -fragment of these identifiers like ``CVE-2021``. +You can directly navigate to an advisory page by specifying the datasource_id (for example, nvd) +and advisory_id (for example, CVE-2026-23918). `https://public.vulnerablecode.io/advisories/datasource_id/advisory_id` -The search by vulnerabilities is available at the following URL: - - `https://public.vulnerablecode.io/vulnerabilities/search/ `_ - -How to search by vulnerabilities: - - 1. Go to the URL: `https://public.vulnerablecode.io/vulnerabilities/search/ `_ - 2. Enter the VCID, CVE, GHSA, CPEs etc. in the search box. - 3. Click on the search button. - -The search results will be displayed in the table below the search box. - - .. image:: images/vuln_search.png - -Click on the VCID to view the vulnerability details. - - .. image:: images/vuln_details.png - -Affected packages tab shows the list of packages affected by the -vulnerability. - - .. image:: images/vuln_affected_packages.png - -Fixed by packages tab shows the list of packages that fix the -vulnerability. - - .. image:: images/vuln_fixed_packages.png +For example: + - `https://public.vulnerablecode.io/advisories/github_osv/GHSA-6xcx-gx7r-rccj `_ + - `https://public.vulnerablecode.io/advisories/nvd/CVE-2026-23918 `_