diff --git a/SOURCES.rst b/SOURCES.rst index bc0963a10..4f5b04d0d 100644 --- a/SOURCES.rst +++ b/SOURCES.rst @@ -1,53 +1,113 @@ -+----------------+------------------------------------------------------------------------------------------------------+----------------------------------------------------+ -|Importer Name | Data Source |Ecosystems Covered | -+================+======================================================================================================+====================================================+ -|rust | https://github.com/RustSec/advisory-db |rust crates | -+----------------+------------------------------------------------------------------------------------------------------+----------------------------------------------------+ -|alpine | https://secdb.alpinelinux.org/ |alpine packages | -+----------------+------------------------------------------------------------------------------------------------------+----------------------------------------------------+ -|archlinux | https://security.archlinux.org/json |arch packages | -+----------------+------------------------------------------------------------------------------------------------------+----------------------------------------------------+ -|debian | https://security-tracker.debian.org/tracker/data/json |debian packages | -+----------------+------------------------------------------------------------------------------------------------------+----------------------------------------------------+ -|npm | https://github.com/nodejs/security-wg.git |npm packages | -+----------------+------------------------------------------------------------------------------------------------------+----------------------------------------------------+ -|ruby | https://github.com/rubysec/ruby-advisory-db.git |ruby gems | -+----------------+------------------------------------------------------------------------------------------------------+----------------------------------------------------+ -|ubuntu | |ubuntu packages | -+----------------+------------------------------------------------------------------------------------------------------+----------------------------------------------------+ -|retiredotnet | https://github.com/RetireNet/Packages.git |.NET packages | -+----------------+------------------------------------------------------------------------------------------------------+----------------------------------------------------+ -|suse_backports | http://ftp.suse.com/pub/projects/security/yaml/ |SUSE packages | -+----------------+------------------------------------------------------------------------------------------------------+----------------------------------------------------+ -|debian_oval | https://www.debian.org/security/oval/ |debian packages | -+----------------+------------------------------------------------------------------------------------------------------+----------------------------------------------------+ -|redhat | https://access.redhat.com/hydra/rest/securitydata/cve.json |rpm packages | -+----------------+------------------------------------------------------------------------------------------------------+----------------------------------------------------+ -|nvd | https://nvd.nist.gov/vuln/data-feeds#JSON_FEED |none | -+----------------+------------------------------------------------------------------------------------------------------+----------------------------------------------------+ -|gentoo | https://anongit.gentoo.org/git/data/glsa.git |gentoo packages | -+----------------+------------------------------------------------------------------------------------------------------+----------------------------------------------------+ -|openssl | https://www.openssl.org/news/vulnerabilities.xml |openssl | -+----------------+------------------------------------------------------------------------------------------------------+----------------------------------------------------+ -|ubuntu_usn | https://usn.ubuntu.com/usn-db/database-all.json.bz2 |ubuntu packages | -+----------------+------------------------------------------------------------------------------------------------------+----------------------------------------------------+ -|github | https://api.github.com/graphql |maven, .NET, php-composer, pypi packages. ruby gems | -+----------------+------------------------------------------------------------------------------------------------------+----------------------------------------------------+ -|msr2019 | https://raw.githubusercontent.com/SAP/project-kb/master/MSR2019/dataset/vulas_db_msr2019_release.csv |maven packages | -+----------------+------------------------------------------------------------------------------------------------------+----------------------------------------------------+ -|apache_httpd | https://httpd.apache.org/security/json |apache-httpd | -+----------------+------------------------------------------------------------------------------------------------------+----------------------------------------------------+ -|kaybee | https://github.com/SAP/project-kb.git |maven packages | -+----------------+------------------------------------------------------------------------------------------------------+----------------------------------------------------+ -|nginx | http://nginx.org/en/security_advisories.html |nginx | -+----------------+------------------------------------------------------------------------------------------------------+----------------------------------------------------+ -|postgresql | https://www.postgresql.org/support/security/ |postgresql | -+----------------+------------------------------------------------------------------------------------------------------+----------------------------------------------------+ -|elixir_security | https://github.com/dependabot/elixir-security-advisories |hex packages | -+----------------+------------------------------------------------------------------------------------------------------+----------------------------------------------------+ -|suse_scores | https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml |vulnerability severity scores by SUSE | -+----------------+------------------------------------------------------------------------------------------------------+----------------------------------------------------+ -|mozilla | https://github.com/mozilla/foundation-security-advisories |mozilla | -+----------------+------------------------------------------------------------------------------------------------------+----------------------------------------------------+ -|mattermost | https://mattermost.com/security-updates/ |mattermost server, desktop and mobile apps | -+----------------+------------------------------------------------------------------------------------------------------+----------------------------------------------------+ ++-----------------------+------------------------------------------------------------------------------------------+--------------------------------------------+ +| Importer Name | Data Source | Ecosystems Covered | ++=======================+==========================================================================================+============================================+ +| archlinux | https://security.archlinux.org/json | arch packages | ++-----------------------+------------------------------------------------------------------------------------------+--------------------------------------------+ +| apache_kafka | https://kafka.apache.org/community/cve-list | apache-kafka | ++-----------------------+------------------------------------------------------------------------------------------+--------------------------------------------+ +| nvd | https://nvd.nist.gov/vuln/data-feeds#JSON_FEED | none | ++-----------------------+------------------------------------------------------------------------------------------+--------------------------------------------+ +| elixir_security | https://github.com/dependabot/elixir-security-advisories | hex packages | ++-----------------------+------------------------------------------------------------------------------------------+--------------------------------------------+ +| npm | https://github.com/nodejs/security-wg.git | npm packages | ++-----------------------+------------------------------------------------------------------------------------------+--------------------------------------------+ +| vulnrichment | https://github.com/cisagov/vulnrichment.git | all | ++-----------------------+------------------------------------------------------------------------------------------+--------------------------------------------+ +| apache_httpd | https://httpd.apache.org/security/json | apache-httpd | ++-----------------------+------------------------------------------------------------------------------------------+--------------------------------------------+ +| pypa | https://github.com/pypa/advisory-database.git | python packages | ++-----------------------+------------------------------------------------------------------------------------------+--------------------------------------------+ +| gitlab | https://gitlab.com/gitlab-org/advisories-community.git | all | ++-----------------------+------------------------------------------------------------------------------------------+--------------------------------------------+ +| pysec | https://osv-vulnerabilities.storage.googleapis.com/PyPI/all.zip | python packages | ++-----------------------+------------------------------------------------------------------------------------------+--------------------------------------------+ +| xen | https://xenbits.xen.org/xsa/xsa.json | xen packages | ++-----------------------+------------------------------------------------------------------------------------------+--------------------------------------------+ +| curl | https://curl.se/docs/vuln.json | curl packages | ++-----------------------+------------------------------------------------------------------------------------------+--------------------------------------------+ +| oss_fuzz | https://github.com/google/oss-fuzz-vulns.git | OSS-Fuzz target packages | ++-----------------------+------------------------------------------------------------------------------------------+--------------------------------------------+ +| istio | https://github.com/istio/istio.io/tree/master/content/en/news/security | istio packages | ++-----------------------+------------------------------------------------------------------------------------------+--------------------------------------------+ +| postgresql | https://www.postgresql.org/support/security/ | postgresql | ++-----------------------+------------------------------------------------------------------------------------------+--------------------------------------------+ +| mozilla | https://github.com/mozilla/foundation-security-advisories | mozilla | ++-----------------------+------------------------------------------------------------------------------------------+--------------------------------------------+ +| github_osv | https://github.com/github/advisory-database.git | all | ++-----------------------+------------------------------------------------------------------------------------------+--------------------------------------------+ +| redhat | https://access.redhat.com/hydra/rest/securitydata/cve.json | rpm packages | ++-----------------------+------------------------------------------------------------------------------------------+--------------------------------------------+ +| aosp_dataset | https://github.com/pypa/advisory-database.git | android packages | ++-----------------------+------------------------------------------------------------------------------------------+--------------------------------------------+ +| project_kb_statements | https://github.com/SAP/project-kb.git | maven, python packages | ++-----------------------+------------------------------------------------------------------------------------------+--------------------------------------------+ +| project_kb_msr2019 | https://github.com/SAP/project-kb/blob/main/MSR2019/dataset/vulas_db_msr2019_release.csv | maven, python packages | ++-----------------------+------------------------------------------------------------------------------------------+--------------------------------------------+ +| ruby | https://github.com/rubysec/ruby-advisory-db.git | ruby gems | ++-----------------------+------------------------------------------------------------------------------------------+--------------------------------------------+ +| epss | https://epss.cyentia.com/epss_scores-current.csv.gz | exploit prediction scoring system | ++-----------------------+------------------------------------------------------------------------------------------+--------------------------------------------+ +| gentoo | https://anongit.gentoo.org/git/data/glsa.git | gentoo packages | ++-----------------------+------------------------------------------------------------------------------------------+--------------------------------------------+ +| nginx | http://nginx.org/en/security_advisories.html | nginx | ++-----------------------+------------------------------------------------------------------------------------------+--------------------------------------------+ +| debian | https://security-tracker.debian.org/tracker/data/json | debian packages | ++-----------------------+------------------------------------------------------------------------------------------+--------------------------------------------+ +| mattermost | https://mattermost.com/security-updates/ | mattermost server, desktop and mobile apps | ++-----------------------+------------------------------------------------------------------------------------------+--------------------------------------------+ +| glibc | https://sourceware.org/git/glibc.git | GNU C packages | ++-----------------------+------------------------------------------------------------------------------------------+--------------------------------------------+ +| apache_tomcat | https://tomcat.apache.org/security | apache_tomcat packages | ++-----------------------+------------------------------------------------------------------------------------------+--------------------------------------------+ +| suse_scores | http://ftp.suse.com/pub/projects/security/yaml/ | vulnerability severity scores by SUSE | ++-----------------------+------------------------------------------------------------------------------------------+--------------------------------------------+ +| retiredotnet | https://github.com/RetireNet/Packages.git | .NET packages | ++-----------------------+------------------------------------------------------------------------------------------+--------------------------------------------+ +| ubuntu_osv | https://github.com/canonical/ubuntu-security-notices.git | ubuntu packages | ++-----------------------+------------------------------------------------------------------------------------------+--------------------------------------------+ +| alpine_linux | https://github.com/aboutcode-org/aboutcode-mirror-alpine-secdb | alpine packages | ++-----------------------+------------------------------------------------------------------------------------------+--------------------------------------------+ +| linux_kernel | https://github.com/nluedtke/linux_kernel_cves | linux kernel packages | ++-----------------------+------------------------------------------------------------------------------------------+--------------------------------------------+ +| openssl | https://www.openssl.org/news/vulnerabilities.xml | openssl | ++-----------------------+------------------------------------------------------------------------------------------+--------------------------------------------+ +| fireeye | https://github.com/mandiant/Vulnerability-Disclosures | none | ++-----------------------+------------------------------------------------------------------------------------------+--------------------------------------------+ +| fix_commits | * https://github.com/torvalds/linux | | +| | * https://github.com/mirror/busybox | | +| | * https://github.com/nginx/nginx | | +| | * https://github.com/apache/tomcat | | +| | * https://github.com/mysql/mysql-server | | +| | * https://github.com/postgres/postgres | | +| | * https://github.com/mongodb/mongo | | +| | * https://github.com/redis/redis | | +| | * https://github.com/sqlite/sqlite | | +| | * https://github.com/php/php-src | | +| | * https://github.com/python/cpython | | +| | * https://github.com/ruby/ruby | | +| | * https://github.com/golang/go | | +| | * https://github.com/nodejs/node | | +| | * https://github.com/rust-lang/rust | | +| | * https://github.com/openjdk/jdk | | +| | * https://github.com/swiftlang/swift | | +| | * https://github.com/django/django | | +| | * https://github.com/rails/rails | | +| | * https://github.com/laravel/framework | | +| | * https://github.com/spring-projects/spring-framework | | +| | * https://github.com/facebook/react | | +| | * https://github.com/angular/angular | | +| | * https://github.com/WordPress/WordPress | | +| | * https://github.com/moby/moby | | +| | * https://github.com/kubernetes/kubernetes | | +| | * https://gitlab.com/qemu-project/qemu | | +| | * https://github.com/xen-project/xen | | +| | * https://github.com/mirror/vbox | | +| | * https://github.com/containerd/containerd | | +| | * https://github.com/ansible/ansible | | +| | * https://github.com/hashicorp/terraform | | +| | * https://gitlab.com/wireshark/wireshark | | +| | * https://github.com/the-tcpdump-group/tcpdump | | +| | * https://github.com/git/git | | +| | * https://github.com/jenkinsci/jenkins | | +| | * https://gitlab.com/gitlab-org/gitlab-foss | | ++-----------------------+------------------------------------------------------------------------------------------+--------------------------------------------+ \ No newline at end of file diff --git a/docs/source/SOURCES.rst b/docs/source/SOURCES.rst deleted file mode 100644 index 6d402a812..000000000 --- a/docs/source/SOURCES.rst +++ /dev/null @@ -1,112 +0,0 @@ -.. _sources: - -Sources -======= - -.. list-table:: Sources - :header-rows: 1 - :widths: 20 50 30 - - * - Importer Name - - Data Source - - Ecosystems Covered - - * - rust - - https://github.com/RustSec/advisory-db - - rust crates - - * - alpine - - https://secdb.alpinelinux.org/ - - alpine packages - - * - archlinux - - https://security.archlinux.org/json - - arch packages - - * - debian - - https://security-tracker.debian.org/tracker/data/json - - debian packages - - * - npm - - https://github.com/nodejs/security-wg.git - - npm packages - - * - ruby - - https://github.com/rubysec/ruby-advisory-db.git - - ruby gems - - * - ubuntu - - - - ubuntu packages - - * - retiredotnet - - https://github.com/RetireNet/Packages.git - - .NET packages - - * - suse_backports - - http://ftp.suse.com/pub/projects/security/yaml/ - - SUSE packages - - * - debian_oval - - https://www.debian.org/security/oval/ - - debian packages - - * - redhat - - https://access.redhat.com/hydra/rest/securitydata/cve.json - - rpm packages - - * - nvd - - https://nvd.nist.gov/vuln/data-feeds#JSON_FEED - - none - - * - gentoo - - https://anongit.gentoo.org/git/data/glsa.git - - gentoo packages - - * - openssl - - https://www.openssl.org/news/vulnerabilities.xml - - openssl - - * - ubuntu_usn - - https://usn.ubuntu.com/usn-db/database-all.json.bz2 - - ubuntu packages - - * - github - - https://api.github.com/graphql - - maven, .NET, php-composer, pypi packages, ruby gems - - * - msr2019 - - https://raw.githubusercontent.com/SAP/project-kb/master/MSR2019/dataset/vulas_db_msr2019_release.csv - - maven packages - - * - apache_httpd - - https://httpd.apache.org/security/json - - apache-httpd - - * - kaybee - - https://github.com/SAP/project-kb.git - - maven packages - - * - nginx - - http://nginx.org/en/security_advisories.html - - nginx - - * - postgresql - - https://www.postgresql.org/support/security/ - - postgresql - - * - elixir_security - - https://github.com/dependabot/elixir-security-advisories - - hex packages - - * - suse_scores - - https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml - - vulnerability severity scores by SUSE - - * - mozilla - - https://github.com/mozilla/foundation-security-advisories - - mozilla - - * - mattermost - - https://mattermost.com/security-updates/ - - mattermost server, desktop and mobile apps diff --git a/docs/source/api-admin.rst b/docs/source/api-admin.rst index 53cf25354..1618526ce 100644 --- a/docs/source/api-admin.rst +++ b/docs/source/api-admin.rst @@ -19,3 +19,38 @@ This can be done in the admin and from the command line:: $ ./manage.py create_api_user --email "p4@nexb.com" --first-name="Phil" --last-name "Goel" User p4@nexb.com created with API key: ce8616b929d2adsddd6146346c2f26536423423491 + +API client configuration +---------------------------- + +API clients must send a `User-Agent` header that matches the value of the +`VCIO_USER_AGENT` setting. + +Add the following to your .env file:: + + VCIO_USER_AGENT="vulnerablecode-client" + +Requests without the configured User-Agent header will be rejected with 403 Forbidden. + +API rate limiting +------------------- + +The API uses request throttling to protect the service from excessive traffic. + +The rate limits can be configured in the .env file:: + + THROTTLE_RATE_ANON=10/minute + THROTTLE_RATE_UI=15/minute + THROTTLE_RATE_USER_HIGH=1/second + THROTTLE_RATE_USER_MEDIUM=30/minute + THROTTLE_RATE_USER_LOW=20/minute + +Configure Altcha protection +---------------------------- + +VulnerableCode uses Altcha to protect forms from automated abuse without +relying on third-party CAPTCHA services + +To enable Altcha, add the following setting to your .env file:: + + ALTCHA_HMAC_KEY=32-byte secret diff --git a/docs/source/api.rst b/docs/source/api.rst index 7f34c5b0b..a98e8a82a 100644 --- a/docs/source/api.rst +++ b/docs/source/api.rst @@ -21,12 +21,12 @@ your API key, click on the ``Authorize`` button on the top right of the page and your API key in the ``value`` field with ``Token`` prefix, so if your token is "1234567890abcdef" then you have to enter this: ``Token 1234567890abcdef``. -.. _Package Vulnerabilities Query: +.. _Vulnerable Packages Query: -Query for Package Vulnerabilities +Query for Vulnerable Packages ------------------------------------ -The package endpoint allows you to query vulnerabilities by package using a +The package endpoint allows you to query vulnerable packages using a purl or purl fields. Sample python script:: @@ -34,124 +34,37 @@ Sample python script:: import requests # Query by purl - resp = requests.get( - "https://public.vulnerablecode.io/api/packages?purl=pkg:maven/log4j/log4j@1.2.27", - headers={"Authorization": "Token 123456789"}, - ).json() - - # Query by purl type, get all the vulnerable maven packages - resp = requests.get( - "https://public.vulnerablecode.io/api/packages?type=maven", - headers={"Authorization": "Token 123456789"}, + resp = requests.post( + "https://public.vulnerablecode.io/api/v3/packages/", + headers={"Authorization": "Token 123456789", "User-Agent": "VCIO_API_AGENT"}, + json={ + "purls": ["pkg:npm/atob@2.0.3?foo=bar"], + "ignore_qualifiers_subpath": True, + "details": True + } ).json() Sample using curl:: - curl -X GET -H 'Authorization: Token ' https://public.vulnerablecode.io/api/packages?purl=pkg:maven/log4j/log4j@1.2.27 - - -The response will be a list of packages, these are packages -that are affected by and/or that fix a vulnerability. - - -.. _Package Bulk Search: - -Package Bulk Search ---------------------- - - -The package bulk search endpoint allows you to search for purls in bulk. You can -pass a list of purls in the request body and the endpoint will return a list of -purls with vulnerabilities. - - -You can pass a list of ``purls`` in the request body. Each package should be a -valid purl string. - -You can also pass options like ``purl_only`` and ``plain_purl`` in the request. -``purl_only`` will return only a list of vulnerable purls from the purls received in request. -``plain_purl`` allows you to query the API using plain purls by removing qualifiers -and subpath from the purl. - -The request body should be a JSON object with the following structure:: - - { - "purls": [ - "pkg:pypi/flask@1.2.0", - "pkg:npm/express@1.0" - ], - "purl_only": false, - "plain_purl": false, - } - -Sample python script:: - - import requests - - request_body = { + curl -X POST "https://public.vulnerablecode.io/api/v3/packages/" \ + -H "Authorization: Token " \ + -H "Content-Type: application/json" \ + -H "User-Agent: VCIO_API_AGENT" \ + -d '{ "purls": [ - "pkg:npm/grunt-radical@0.0.14" + "pkg:pypi/flask@2.3.2" ], - } - - resp = requests.post('https://public.vulnerablecode.io/api/packages/bulk_search', json= request_body, headers={'Authorization': "Token 123456789"}).json() - + "ignore_qualifiers_subpath": true, + "details": true, + "reachability": true + }' The response will be a list of packages, these are packages -that are affected by and/or that fix a vulnerability. - -.. _CPE Bulk Search: - -CPE Bulk Search ---------------------- - - -The CPE bulk search endpoint allows you to search for packages in bulk. -You can pass a list of packages in the request body and the endpoint will -return a list of vulnerabilities. - - -You can pass a list of ``cpes`` in the request body. Each cpe should be a -non empty string and a valid CPE. - - -The request body should be a JSON object with the following structure:: - - { - "cpes": [ - "cpe:2.3:a:apache:struts:2.3.1:*:*:*:*:*:*:*", - "cpe:2.3:a:apache:struts:2.3.2:*:*:*:*:*:*:*" - ] - } - -Sample python script:: - - import requests - - request_body = { - "cpes": [ - "cpe:2.3:a:apache:struts:2.3.1:*:*:*:*:*:*:*" - ], - } - - resp = requests.post('https://public.vulnerablecode.io/api/cpes/bulk_search', json= request_body, headers={'Authorization': "Token 123456789"}).json() - -The response will be a list of vulnerabilities that have the following CPEs. - +that are affected by and/or that fix a vulnerability advisory. API endpoints reference -------------------------- -There are two primary endpoints: - -- packages/: this is the main endpoint where you can lookup vulnerabilities by package. - -- vulnerabilities/: to lookup by vulnerabilities - -And two secondary endpoints, used to query vulnerability aliases (such as CVEs) -and vulnerability by CPEs: cpes/ and aliases/ - - .. list-table:: Table for the main API endpoints :widths: 30 40 30 :header-rows: 1 @@ -159,71 +72,44 @@ and vulnerability by CPEs: cpes/ and aliases/ * - Endpoint - Query Parameters - Expected Output - * - ``/api/packages`` - - - - ``purl`` (string) = package-url of the package - - ``type`` (string) = type of the package - - ``namespace`` (string) = namespace of the package - - ``name`` (string) = name of the package - - ``version`` (string) = version of the package - - ``qualifiers`` (string) = qualifiers of the package - - ``subpath`` (string) = subpath of the package - - ``page`` (integer) = page number of the response - - ``page_size`` (integer) = number of packages in each page - - Return a list of packages using a package-url (purl) or a combination of - type, namespace, name, version, qualifiers, subpath purl fields. See the - `purl specification `_ for more details. See example at :ref:`Package Vulnerabilities Query` section for more details. - * - ``/api/packages/bulk_search`` - - Refer to package bulk search section :ref:`Package Bulk Search` - - Return a list of packages - * - ``/api/vulnerabilities/`` + * - POST ``/api/v3/packages/`` - - - ``vulnerability_id`` (string) = VCID (VulnerableCode Identifier) of the vulnerability - - ``page`` (integer) = page number of the response - - ``page_size`` (integer) = number of vulnerabilities in each page - - Return a list of vulnerabilities - * - ``/api/cpes`` + - ``purls`` (array of strings) = List of package URLs ( a package-url (purl) or a combination of + type, namespace, name, version, qualifiers, subpath purl fields. See the + `purl specification `_ for more details. ) + - ``details`` (boolean) = Display all details about the packages provided + - ``ignore_qualifiers_subpath`` (boolean) = Ignore qualifiers/subpaths + - ``max_advisories`` (integer) = Maximum advisories to return + - ``reachability`` (boolean) = Display details about reachability + (introduced_in_patches and fixed_in_patches) + - Return a list of vulnerable packages + * - POST ``/api/v3/advisories/`` - - - ``cpe`` (string) = value of the cpe - - ``page`` (integer) = page number of the response - - ``page_size`` (integer) = number of cpes in each page - - Return a list of vulnerabilities - * - ``/api/cpes/bulk_search`` - - Refer to CPE bulk search section :ref:`CPE Bulk Search` - - Return a list of cpes - * - ``/api/aliases`` + - ``purls`` (array of strings) = list of package urls + - Returns a list of advisories related to the provided packages + * - GET ``/api/v3/affected-by-advisories/`` - - - ``alias`` (string) = value of the alias - - ``page`` (integer) = page number of the response - - ``page_size`` (integer) = number of aliases in each page - - Return a list of vulnerabilities - -.. list-table:: Table for other API endpoints - :widths: 30 40 30 - :header-rows: 1 - - * - Endpoint - - Query Parameters - - Expected Output - * - ``/api/packages/{id}`` + - ``page`` (string) = A page number within the paginated result set. + - ``page_size`` (integer) = Number of results to return per page. + - ``search`` (string) = A search term. + - Returns a paginated list of advisories vulnerabilities that affect given packages. + * - GET ``/api/v3/affected-by-advisories/{id}/`` - - - ``id`` (integer) = internal primary id of the package - - Return a package with the given id - * - ``/api/packages/all`` - - No parameter required - - Return a list of all vulnerable packages - * - ``/api/vulnerabilities/{id}`` + - ``id`` (string) = A unique integer value identifying this advisory v2. + - Returns a specific advisory that affect a given package. + * - GET ``/api/v3/fixing-advisories/`` - - - ``id`` (integer) = internal primary id of the vulnerability - - Return a vulnerability with the given id - * - ``/api/aliases/{id}`` + - ``page`` (integer) = A page number within the paginated result set. + - ``page_size`` (integer) = Number of results to return per page. + - ``search`` (string) = A search term. + - Return a paginated list of advisories that fix a given package. + * - GET ``/api/v3/fixing-advisories/{id}/`` - - - ``id`` (integer) = internal primary id of the alias - - Return an alias with the given id - * - ``/api/cpes/{id}`` + - ``id`` (string) = A unique integer value identifying this advisory v2. + - Returns a specific advisory that fix a given package. + * - GET ``/api/v3/package-types/`` - - - ``id`` = internal primary id of the cpe - - Return a cpe with the given id + - Return a list of to all the packages types in the database. Miscellaneous ---------------- diff --git a/docs/source/images/pkg_details.png b/docs/source/images/pkg_details.png index f1df78302..38bf1b3dd 100644 Binary files a/docs/source/images/pkg_details.png and b/docs/source/images/pkg_details.png differ diff --git a/docs/source/images/pkg_search.png b/docs/source/images/pkg_search.png index b152eaeaf..ad14f5d91 100644 Binary files a/docs/source/images/pkg_search.png and b/docs/source/images/pkg_search.png differ diff --git a/docs/source/images/vcio-db-admin-2023-11-27-01.png b/docs/source/images/vcio-db-admin-2023-11-27-01.png deleted file mode 100644 index 4afdc8cea..000000000 Binary files a/docs/source/images/vcio-db-admin-2023-11-27-01.png and /dev/null differ diff --git a/docs/source/images/vcio-db-application-2023-11-27-01.png b/docs/source/images/vcio-db-application-2023-11-27-01.png deleted file mode 100644 index 975dbe116..000000000 Binary files a/docs/source/images/vcio-db-application-2023-11-27-01.png and /dev/null differ diff --git a/docs/source/images/vcio-model.svg b/docs/source/images/vcio-model.svg new file mode 100644 index 000000000..fa9462031 --- /dev/null +++ b/docs/source/images/vcio-model.svg @@ -0,0 +1,3262 @@ + + +model_graph + + +cluster_vulnerabilities + +           +           +vulnerabilities +           +           + + +cluster_django_contrib_auth + +           +           +django.contrib.auth +           +           + + +cluster_django_contrib_contenttypes + +           +           +django.contrib.contenttypes +           +           + + +cluster_django_contrib_sessions + +           +           +django.contrib.sessions +           +           + + +cluster_django_contrib_admin + +           +           +django.contrib.admin +           +           + + +cluster_rest_framework_authtoken + +           +           +rest_framework.authtoken +           +           + + +cluster_django_rq + +           +           +django_rq +           +           + + + +vulnerabilities_models_CodeChange + + +       +      CodeChange       +       +base_package_version +       +       +ForeignKey (None) +       +       +commits +       +       +JSONField +       +       +created_at +       +       +DateTimeField +       +       +downloads +       +       +JSONField +       +       +is_reviewed +       +       +BooleanField +       +       +notes +       +       +TextField +       +       +patch +       +       +TextField +       +       +pulls +       +       +JSONField +       +       +references +       +       +JSONField +       +       +updated_at +       +       +DateTimeField +       + + + + +vulnerabilities_models_Package + + +       +      Package +< +PackageURLMixin +>       +       +id +       +       +AutoField +       +       +is_ghost +       +       +BooleanField +       +       +name +       +       +CharField +       +       +namespace +       +       +CharField +       +       +package_url +       +       +CharField +       +       +plain_package_url +       +       +CharField +       +       +qualifiers +       +       +CharField +       +       +risk_score +       +       +DecimalField +       +       +subpath +       +       +CharField +       +       +type +       +       +CharField +       +       +version +       +       +CharField +       +       +version_rank +       +       +IntegerField +       + + + + +vulnerabilities_models_CodeChange->vulnerabilities_models_Package + + + base_package_version (codechanges) + + + +vulnerabilities_models_ChangeLog + + +       +      ChangeLog       +       +action_time +       +       +DateTimeField +       +       +action_type +       +       +PositiveSmallIntegerField +       +       +actor_name +       +       +CharField +       +       +software_version +       +       +CharField +       +       +source_url +       +       +URLField +       + + + + +vulnerabilities_models_PackageRelatedVulnerabilityBase + + +       +      PackageRelatedVulnerabilityBase       +       +package +       +       +ForeignKey (id) +       +       +vulnerability +       +       +ForeignKey (id) +       +       +confidence +       +       +PositiveIntegerField +       +       +created_by +       +       +CharField +       + + + + +vulnerabilities_models_Vulnerability + + +       +      Vulnerability       +       +id +       +       +AutoField +       +       +exploitability +       +       +DecimalField +       +       +status +       +       +IntegerField +       +       +summary +       +       +TextField +       +       +vulnerability_id +       +       +CharField +       +       +weighted_severity +       +       +DecimalField +       + + + + +vulnerabilities_models_PackageRelatedVulnerabilityBase->vulnerabilities_models_Vulnerability + + + vulnerability (packagerelatedvulnerabilitybase) + + + +vulnerabilities_models_PackageRelatedVulnerabilityBase->vulnerabilities_models_Package + + + package (packagerelatedvulnerabilitybase) + + + +vulnerabilities_models_CodeChangeV2 + + +       +      CodeChangeV2       +       +base_package_version +       +       +ForeignKey (None) +       +       +commits +       +       +JSONField +       +       +created_at +       +       +DateTimeField +       +       +downloads +       +       +JSONField +       +       +is_reviewed +       +       +BooleanField +       +       +notes +       +       +TextField +       +       +patch +       +       +TextField +       +       +pulls +       +       +JSONField +       +       +references +       +       +JSONField +       +       +updated_at +       +       +DateTimeField +       + + + + +vulnerabilities_models_PackageV2 + + +       +      PackageV2 +< +PackageURLMixin +>       +       +id +       +       +AutoField +       +       +is_ghost +       +       +BooleanField +       +       +name +       +       +CharField +       +       +namespace +       +       +CharField +       +       +package_url +       +       +CharField +       +       +plain_package_url +       +       +CharField +       +       +qualifiers +       +       +CharField +       +       +risk_score +       +       +DecimalField +       +       +subpath +       +       +CharField +       +       +type +       +       +CharField +       +       +version +       +       +CharField +       +       +version_rank +       +       +IntegerField +       + + + + +vulnerabilities_models_CodeChangeV2->vulnerabilities_models_PackageV2 + + + base_package_version (codechanges_v2) + + + +packageurl_contrib_django_models_PackageURLMixin + + +       +      PackageURLMixin       +       +name +       +       +CharField +       +       +namespace +       +       +CharField +       +       +qualifiers +       +       +CharField +       +       +subpath +       +       +CharField +       +       +type +       +       +CharField +       +       +version +       +       +CharField +       + + + + +vulnerabilities_models_VulnerabilitySeverity + + +       +      VulnerabilitySeverity       +       +id +       +       +AutoField +       +       +published_at +       +       +DateTimeField +       +       +scoring_elements +       +       +CharField +       +       +scoring_system +       +       +CharField +       +       +url +       +       +URLField +       +       +value +       +       +CharField +       + + + + +vulnerabilities_models_Vulnerability->vulnerabilities_models_VulnerabilitySeverity + + + + severities (vulnerabilities) + + + +vulnerabilities_models_Weakness + + +       +      Weakness       +       +id +       +       +AutoField +       +       +cwe_id +       +       +IntegerField +       + + + + +vulnerabilities_models_Weakness->vulnerabilities_models_Vulnerability + + + + vulnerabilities (weaknesses) + + + +vulnerabilities_models_VulnerabilityReference + + +       +      VulnerabilityReference       +       +id +       +       +AutoField +       +       +reference_id +       +       +CharField +       +       +reference_type +       +       +CharField +       +       +url +       +       +URLField +       + + + + +vulnerabilities_models_VulnerabilityRelatedReference + + +       +      VulnerabilityRelatedReference       +       +id +       +       +AutoField +       +       +reference +       +       +ForeignKey (id) +       +       +vulnerability +       +       +ForeignKey (id) +       + + + + +vulnerabilities_models_VulnerabilityRelatedReference->vulnerabilities_models_Vulnerability + + + vulnerability (vulnerabilityrelatedreference) + + + +vulnerabilities_models_VulnerabilityRelatedReference->vulnerabilities_models_VulnerabilityReference + + + reference (vulnerabilityrelatedreference) + + + +vulnerabilities_models_Package->packageurl_contrib_django_models_PackageURLMixin + + + abstract +inheritance + + + +vulnerabilities_models_FixingPackageRelatedVulnerability + + +       +      FixingPackageRelatedVulnerability +< +PackageRelatedVulnerabilityBase +>       +       +id +       +       +AutoField +       +       +package +       +       +ForeignKey (id) +       +       +vulnerability +       +       +ForeignKey (id) +       +       +confidence +       +       +PositiveIntegerField +       +       +created_by +       +       +CharField +       + + + + +vulnerabilities_models_FixingPackageRelatedVulnerability->vulnerabilities_models_PackageRelatedVulnerabilityBase + + + abstract +inheritance + + + +vulnerabilities_models_FixingPackageRelatedVulnerability->vulnerabilities_models_Vulnerability + + + vulnerability (fixingpackagerelatedvulnerability) + + + +vulnerabilities_models_FixingPackageRelatedVulnerability->vulnerabilities_models_Package + + + package (fixingpackagerelatedvulnerability) + + + +vulnerabilities_models_AffectedByPackageRelatedVulnerability + + +       +      AffectedByPackageRelatedVulnerability +< +PackageRelatedVulnerabilityBase +>       +       +id +       +       +AutoField +       +       +package +       +       +ForeignKey (id) +       +       +vulnerability +       +       +ForeignKey (id) +       +       +confidence +       +       +PositiveIntegerField +       +       +created_by +       +       +CharField +       + + + + +vulnerabilities_models_AffectedByPackageRelatedVulnerability->vulnerabilities_models_PackageRelatedVulnerabilityBase + + + abstract +inheritance + + + +vulnerabilities_models_AffectedByPackageRelatedVulnerability->vulnerabilities_models_VulnerabilitySeverity + + + + severities (affected_package_vulnerability_relations) + + + +vulnerabilities_models_AffectedByPackageRelatedVulnerability->vulnerabilities_models_Vulnerability + + + vulnerability (affectedbypackagerelatedvulnerability) + + + +vulnerabilities_models_AffectedByPackageRelatedVulnerability->vulnerabilities_models_Package + + + package (affectedbypackagerelatedvulnerability) + + + +vulnerabilities_models_Alias + + +       +      Alias       +       +id +       +       +AutoField +       +       +vulnerability +       +       +ForeignKey (id) +       +       +alias +       +       +CharField +       + + + + +vulnerabilities_models_Alias->vulnerabilities_models_Vulnerability + + + vulnerability (aliases) + + + +vulnerabilities_models_Advisory + + +       +      Advisory       +       +id +       +       +AutoField +       +       +affected_packages +       +       +JSONField +       +       +created_by +       +       +CharField +       +       +date_collected +       +       +DateTimeField +       +       +date_imported +       +       +DateTimeField +       +       +date_published +       +       +DateTimeField +       +       +references +       +       +JSONField +       +       +summary +       +       +TextField +       +       +unique_content_id +       +       +CharField +       +       +url +       +       +URLField +       +       +weaknesses +       +       +JSONField +       + + + + +vulnerabilities_models_AdvisoryRelatedAlias + + +       +      AdvisoryRelatedAlias       +       +id +       +       +AutoField +       +       +advisory +       +       +ForeignKey (id) +       +       +alias +       +       +ForeignKey (id) +       + + + + +vulnerabilities_models_AdvisoryRelatedAlias->vulnerabilities_models_Alias + + + alias (advisoryrelatedalias) + + + +vulnerabilities_models_AdvisoryRelatedAlias->vulnerabilities_models_Advisory + + + advisory (advisoryrelatedalias) + + + +vulnerabilities_models_ApiUser + + +       +      ApiUser       + + + + +django_contrib_auth_models_User + + +       +      User +< +AbstractUser +>       +       +id +       +       +AutoField +       +       +date_joined +       +       +DateTimeField +       +       +email +       +       +EmailField +       +       +first_name +       +       +CharField +       +       +is_active +       +       +BooleanField +       +       +is_staff +       +       +BooleanField +       +       +is_superuser +       +       +BooleanField +       +       +last_login +       +       +DateTimeField +       +       +last_name +       +       +CharField +       +       +password +       +       +CharField +       +       +username +       +       +CharField +       + + + + +vulnerabilities_models_ApiUser->django_contrib_auth_models_User + + + proxy +inheritance + + + +vulnerabilities_models_VulnerabilityChangeLog + + +       +      VulnerabilityChangeLog +< +ChangeLog +>       +       +id +       +       +AutoField +       +       +vulnerability +       +       +ForeignKey (id) +       +       +action_time +       +       +DateTimeField +       +       +action_type +       +       +PositiveSmallIntegerField +       +       +actor_name +       +       +CharField +       +       +software_version +       +       +CharField +       +       +source_url +       +       +URLField +       + + + + +vulnerabilities_models_VulnerabilityChangeLog->vulnerabilities_models_ChangeLog + + + abstract +inheritance + + + +vulnerabilities_models_VulnerabilityChangeLog->vulnerabilities_models_Vulnerability + + + vulnerability (changelog) + + + +vulnerabilities_models_PackageChangeLog + + +       +      PackageChangeLog +< +ChangeLog +>       +       +id +       +       +AutoField +       +       +package +       +       +ForeignKey (id) +       +       +action_time +       +       +DateTimeField +       +       +action_type +       +       +PositiveSmallIntegerField +       +       +actor_name +       +       +CharField +       +       +related_vulnerability +       +       +CharField +       +       +software_version +       +       +CharField +       +       +source_url +       +       +URLField +       + + + + +vulnerabilities_models_PackageChangeLog->vulnerabilities_models_ChangeLog + + + abstract +inheritance + + + +vulnerabilities_models_PackageChangeLog->vulnerabilities_models_Package + + + package (changelog) + + + +vulnerabilities_models_Exploit + + +       +      Exploit       +       +id +       +       +AutoField +       +       +vulnerability +       +       +ForeignKey (id) +       +       +data_source +       +       +TextField +       +       +date_added +       +       +DateField +       +       +description +       +       +TextField +       +       +due_date +       +       +DateField +       +       +exploit_type +       +       +TextField +       +       +known_ransomware_campaign_use +       +       +BooleanField +       +       +notes +       +       +TextField +       +       +platform +       +       +TextField +       +       +required_action +       +       +TextField +       +       +source_date_published +       +       +DateField +       +       +source_date_updated +       +       +DateField +       +       +source_url +       +       +URLField +       + + + + +vulnerabilities_models_Exploit->vulnerabilities_models_Vulnerability + + + vulnerability (exploits) + + + +vulnerabilities_models_CodeFix + + +       +      CodeFix +< +CodeChange +>       +       +id +       +       +AutoField +       +       +affected_package_vulnerability +       +       +ForeignKey (id) +       +       +base_package_version +       +       +ForeignKey (id) +       +       +fixed_package_vulnerability +       +       +ForeignKey (id) +       +       +commits +       +       +JSONField +       +       +created_at +       +       +DateTimeField +       +       +downloads +       +       +JSONField +       +       +is_reviewed +       +       +BooleanField +       +       +notes +       +       +TextField +       +       +patch +       +       +TextField +       +       +pulls +       +       +JSONField +       +       +references +       +       +JSONField +       +       +updated_at +       +       +DateTimeField +       + + + + +vulnerabilities_models_CodeFix->vulnerabilities_models_CodeChange + + + abstract +inheritance + + + +vulnerabilities_models_CodeFix->vulnerabilities_models_Package + + + base_package_version (codechanges) + + + +vulnerabilities_models_CodeFix->vulnerabilities_models_FixingPackageRelatedVulnerability + + + fixed_package_vulnerability (code_fix) + + + +vulnerabilities_models_CodeFix->vulnerabilities_models_AffectedByPackageRelatedVulnerability + + + affected_package_vulnerability (code_fix) + + + +vulnerabilities_models_CodeFixV2 + + +       +      CodeFixV2 +< +CodeChangeV2 +>       +       +id +       +       +AutoField +       +       +advisory +       +       +ForeignKey (id) +       +       +affected_package +       +       +ForeignKey (id) +       +       +base_package_version +       +       +ForeignKey (id) +       +       +fixed_package +       +       +ForeignKey (id) +       +       +commits +       +       +JSONField +       +       +created_at +       +       +DateTimeField +       +       +downloads +       +       +JSONField +       +       +is_reviewed +       +       +BooleanField +       +       +notes +       +       +TextField +       +       +patch +       +       +TextField +       +       +pulls +       +       +JSONField +       +       +references +       +       +JSONField +       +       +updated_at +       +       +DateTimeField +       + + + + +vulnerabilities_models_CodeFixV2->vulnerabilities_models_CodeChangeV2 + + + abstract +inheritance + + + +vulnerabilities_models_AdvisoryV2 + + +       +      AdvisoryV2       +       +id +       +       +AutoField +       +       +_all_impacts_unfurled_at +       +       +DateTimeField +       +       +_all_impacts_unfurled_successfully_at +       +       +DateTimeField +       +       +advisory_id +       +       +CharField +       +       +avid +       +       +CharField +       +       +datasource_id +       +       +CharField +       +       +date_collected +       +       +DateTimeField +       +       +date_published +       +       +DateTimeField +       +       +exploitability +       +       +DecimalField +       +       +is_latest +       +       +BooleanField +       +       +original_advisory_text +       +       +TextField +       +       +pipeline_id +       +       +CharField +       +       +precedence +       +       +IntegerField +       +       +risk_score +       +       +DecimalField +       +       +status +       +       +IntegerField +       +       +summary +       +       +TextField +       +       +unique_content_id +       +       +CharField +       +       +url +       +       +URLField +       +       +weighted_severity +       +       +DecimalField +       + + + + +vulnerabilities_models_CodeFixV2->vulnerabilities_models_AdvisoryV2 + + + advisory (code_fix_v2) + + + +vulnerabilities_models_CodeFixV2->vulnerabilities_models_PackageV2 + + + base_package_version (codechanges_v2) + + + +vulnerabilities_models_CodeFixV2->vulnerabilities_models_PackageV2 + + + affected_package (code_fix_v2_affected) + + + +vulnerabilities_models_CodeFixV2->vulnerabilities_models_PackageV2 + + + fixed_package (code_fix_v2_fixed) + + + +vulnerabilities_models_PipelineRun + + +       +      PipelineRun       +       +run_id +       +       +UUIDField +       +       +pipeline +       +       +ForeignKey (id) +       +       +created_date +       +       +DateTimeField +       +       +log +       +       +TextField +       +       +run_end_date +       +       +DateTimeField +       +       +run_exitcode +       +       +IntegerField +       +       +run_output +       +       +TextField +       +       +run_start_date +       +       +DateTimeField +       +       +vulnerablecode_commit +       +       +CharField +       +       +vulnerablecode_version +       +       +CharField +       + + + + +vulnerabilities_models_PipelineSchedule + + +       +      PipelineSchedule       +       +id +       +       +AutoField +       +       +created_date +       +       +DateTimeField +       +       +execution_timeout +       +       +PositiveSmallIntegerField +       +       +is_active +       +       +BooleanField +       +       +is_run_once +       +       +BooleanField +       +       +live_logging +       +       +BooleanField +       +       +pipeline_id +       +       +CharField +       +       +run_interval +       +       +IntegerField +       +       +run_priority +       +       +IntegerField +       +       +schedule_work_id +       +       +CharField +       + + + + +vulnerabilities_models_PipelineRun->vulnerabilities_models_PipelineSchedule + + + pipeline (pipelineruns) + + + +vulnerabilities_models_AdvisoryToDo + + +       +      AdvisoryToDo       +       +id +       +       +AutoField +       +       +created_at +       +       +DateTimeField +       +       +is_resolved +       +       +BooleanField +       +       +issue_detail +       +       +TextField +       +       +issue_type +       +       +CharField +       +       +related_advisories_id +       +       +CharField +       +       +resolution_detail +       +       +TextField +       +       +resolved_at +       +       +DateTimeField +       + + + + +vulnerabilities_models_AdvisoryToDoV2 + + +       +      AdvisoryToDoV2       +       +todo_id +       +       +UUIDField +       +       +advisories_count +       +       +IntegerField +       +       +alias +       +       +CharField +       +       +created_at +       +       +DateTimeField +       +       +is_resolved +       +       +BooleanField +       +       +is_todo_stale +       +       +BooleanField +       +       +issue_detail +       +       +JSONField +       +       +issue_type +       +       +CharField +       +       +oldest_advisory_date +       +       +DateTimeField +       +       +related_advisories_id +       +       +CharField +       +       +resolution_detail +       +       +TextField +       +       +resolved_at +       +       +DateTimeField +       + + + + +vulnerabilities_models_AdvisorySeverity + + +       +      AdvisorySeverity       +       +id +       +       +AutoField +       +       +published_at +       +       +DateTimeField +       +       +scoring_elements +       +       +CharField +       +       +scoring_system +       +       +CharField +       +       +url +       +       +URLField +       +       +value +       +       +CharField +       + + + + +vulnerabilities_models_AdvisoryWeakness + + +       +      AdvisoryWeakness       +       +id +       +       +AutoField +       +       +cwe_id +       +       +IntegerField +       + + + + +vulnerabilities_models_AdvisoryReference + + +       +      AdvisoryReference       +       +id +       +       +AutoField +       +       +archive_url +       +       +URLField +       +       +reference_id +       +       +CharField +       +       +reference_type +       +       +CharField +       +       +url +       +       +URLField +       + + + + +vulnerabilities_models_AdvisoryAlias + + +       +      AdvisoryAlias       +       +id +       +       +AutoField +       +       +alias +       +       +CharField +       + + + + +vulnerabilities_models_Patch + + +       +      Patch       +       +id +       +       +AutoField +       +       +patch_checksum +       +       +CharField +       +       +patch_text +       +       +TextField +       +       +patch_url +       +       +URLField +       + + + + +vulnerabilities_models_PackageCommitPatch + + +       +      PackageCommitPatch       +       +id +       +       +AutoField +       +       +commit_hash +       +       +CharField +       +       +patch_checksum +       +       +CharField +       +       +patch_text +       +       +TextField +       +       +vcs_url +       +       +URLField +       + + + + +vulnerabilities_models_AdvisorySet + + +       +      AdvisorySet       +       +id +       +       +AutoField +       +       +package +       +       +ForeignKey (id) +       +       +primary_advisory +       +       +ForeignKey (id) +       +       +created_at +       +       +DateTimeField +       +       +relation_type +       +       +CharField +       + + + + +vulnerabilities_models_AdvisorySet->vulnerabilities_models_AdvisoryAlias + + + + aliases (advisory_sets) + + + +vulnerabilities_models_AdvisorySet->vulnerabilities_models_AdvisoryV2 + + + primary_advisory (advisoryset) + + + +vulnerabilities_models_AdvisorySet->vulnerabilities_models_PackageV2 + + + package (advisoryset) + + + +vulnerabilities_models_AdvisorySetMember + + +       +      AdvisorySetMember       +       +id +       +       +AutoField +       +       +advisory +       +       +ForeignKey (id) +       +       +advisory_set +       +       +ForeignKey (id) +       +       +is_primary +       +       +BooleanField +       + + + + +vulnerabilities_models_AdvisorySetMember->vulnerabilities_models_AdvisorySet + + + advisory_set (members) + + + +vulnerabilities_models_AdvisorySetMember->vulnerabilities_models_AdvisoryV2 + + + advisory (advisorysetmember) + + + +vulnerabilities_models_AdvisoryV2->vulnerabilities_models_AdvisorySeverity + + + + severities (advisories) + + + +vulnerabilities_models_AdvisoryV2->vulnerabilities_models_AdvisoryWeakness + + + + weaknesses (advisories) + + + +vulnerabilities_models_AdvisoryV2->vulnerabilities_models_AdvisoryReference + + + + references (advisories) + + + +vulnerabilities_models_AdvisoryV2->vulnerabilities_models_AdvisoryAlias + + + + aliases (advisories) + + + +vulnerabilities_models_AdvisoryV2->vulnerabilities_models_Patch + + + + patches (advisories) + + + +vulnerabilities_models_AdvisoryV2->vulnerabilities_models_AdvisoryV2 + + + + related_advisory_severities (related_to_advisory_severities) + + + +vulnerabilities_models_ImpactedPackage + + +       +      ImpactedPackage       +       +id +       +       +AutoField +       +       +advisory +       +       +ForeignKey (id) +       +       +affecting_vers +       +       +TextField +       +       +base_purl +       +       +CharField +       +       +created_at +       +       +DateTimeField +       +       +fixed_vers +       +       +TextField +       +       +last_range_unfurl_at +       +       +DateTimeField +       +       +last_successful_range_unfurl_at +       +       +DateTimeField +       + + + + +vulnerabilities_models_ImpactedPackage->vulnerabilities_models_PackageCommitPatch + + + + introduced_by_package_commit_patches (introduced_in_impacts) + + + +vulnerabilities_models_ImpactedPackage->vulnerabilities_models_PackageCommitPatch + + + + fixed_by_package_commit_patches (fixed_in_impacts) + + + +vulnerabilities_models_ImpactedPackage->vulnerabilities_models_AdvisoryV2 + + + advisory (impacted_packages) + + + +vulnerabilities_models_ToDoRelatedAdvisory + + +       +      ToDoRelatedAdvisory       +       +id +       +       +AutoField +       +       +advisory +       +       +ForeignKey (id) +       +       +todo +       +       +ForeignKey (id) +       + + + + +vulnerabilities_models_ToDoRelatedAdvisory->vulnerabilities_models_Advisory + + + advisory (todorelatedadvisory) + + + +vulnerabilities_models_ToDoRelatedAdvisory->vulnerabilities_models_AdvisoryToDo + + + todo (todorelatedadvisory) + + + +vulnerabilities_models_ToDoRelatedAdvisoryV2 + + +       +      ToDoRelatedAdvisoryV2       +       +id +       +       +AutoField +       +       +advisory +       +       +ForeignKey (id) +       +       +todo +       +       +ForeignKey (todo_id) +       + + + + +vulnerabilities_models_ToDoRelatedAdvisoryV2->vulnerabilities_models_AdvisoryToDoV2 + + + todo (todorelatedadvisoryv2) + + + +vulnerabilities_models_ToDoRelatedAdvisoryV2->vulnerabilities_models_AdvisoryV2 + + + advisory (todorelatedadvisoryv2) + + + +vulnerabilities_models_PackageV2->packageurl_contrib_django_models_PackageURLMixin + + + abstract +inheritance + + + +vulnerabilities_models_ImpactedPackageAffecting + + +       +      ImpactedPackageAffecting       +       +id +       +       +AutoField +       +       +impacted_package +       +       +ForeignKey (id) +       +       +package +       +       +ForeignKey (id) +       +       +created_at +       +       +DateTimeField +       + + + + +vulnerabilities_models_ImpactedPackageAffecting->vulnerabilities_models_ImpactedPackage + + + impacted_package (impactedpackageaffecting) + + + +vulnerabilities_models_ImpactedPackageAffecting->vulnerabilities_models_PackageV2 + + + package (impactedpackageaffecting) + + + +vulnerabilities_models_ImpactedPackageFixedBy + + +       +      ImpactedPackageFixedBy       +       +id +       +       +AutoField +       +       +impacted_package +       +       +ForeignKey (id) +       +       +package +       +       +ForeignKey (id) +       +       +created_at +       +       +DateTimeField +       + + + + +vulnerabilities_models_ImpactedPackageFixedBy->vulnerabilities_models_ImpactedPackage + + + impacted_package (impactedpackagefixedby) + + + +vulnerabilities_models_ImpactedPackageFixedBy->vulnerabilities_models_PackageV2 + + + package (impactedpackagefixedby) + + + +vulnerabilities_models_AdvisoryExploit + + +       +      AdvisoryExploit       +       +id +       +       +AutoField +       +       +advisory +       +       +ForeignKey (id) +       +       +data_source +       +       +TextField +       +       +date_added +       +       +DateField +       +       +description +       +       +TextField +       +       +due_date +       +       +DateField +       +       +exploit_type +       +       +TextField +       +       +known_ransomware_campaign_use +       +       +BooleanField +       +       +notes +       +       +TextField +       +       +platform +       +       +TextField +       +       +record_id +       +       +CharField +       +       +required_action +       +       +TextField +       +       +source_date_published +       +       +DateField +       +       +source_date_updated +       +       +DateField +       +       +source_url +       +       +URLField +       + + + + +vulnerabilities_models_AdvisoryExploit->vulnerabilities_models_AdvisoryV2 + + + advisory (exploits) + + + +vulnerabilities_models_SSVC + + +       +      SSVC       +       +id +       +       +AutoField +       +       +source_advisory +       +       +ForeignKey (id) +       +       +decision +       +       +CharField +       +       +options +       +       +JSONField +       +       +vector +       +       +CharField +       + + + + +vulnerabilities_models_SSVC->vulnerabilities_models_AdvisoryV2 + + + source_advisory (source_ssvcs) + + + +vulnerabilities_models_SSVC->vulnerabilities_models_AdvisoryV2 + + + + related_advisories (related_ssvcs) + + + +vulnerabilities_models_AdvisoryPOC + + +       +      AdvisoryPOC       +       +id +       +       +AutoField +       +       +advisory +       +       +ForeignKey (id) +       +       +created_at +       +       +DateTimeField +       +       +is_confirmed +       +       +BooleanField +       +       +updated_at +       +       +DateTimeField +       +       +url +       +       +URLField +       + + + + +vulnerabilities_models_AdvisoryPOC->vulnerabilities_models_AdvisoryV2 + + + advisory (pocs) + + + +django_contrib_auth_models_AbstractUser + + +       +      AbstractUser +< +AbstractBaseUser,PermissionsMixin +>       +       +date_joined +       +       +DateTimeField +       +       +email +       +       +EmailField +       +       +first_name +       +       +CharField +       +       +is_active +       +       +BooleanField +       +       +is_staff +       +       +BooleanField +       +       +is_superuser +       +       +BooleanField +       +       +last_login +       +       +DateTimeField +       +       +last_name +       +       +CharField +       +       +password +       +       +CharField +       +       +username +       +       +CharField +       + + + + +django_contrib_auth_base_user_AbstractBaseUser + + +   +AbstractBaseUser +   + + + +django_contrib_auth_models_AbstractUser->django_contrib_auth_base_user_AbstractBaseUser + + + abstract +inheritance + + + +django_contrib_auth_models_PermissionsMixin + + +   +PermissionsMixin +   + + + +django_contrib_auth_models_AbstractUser->django_contrib_auth_models_PermissionsMixin + + + abstract +inheritance + + + +django_contrib_auth_models_Permission + + +       +      Permission       +       +id +       +       +AutoField +       +       +content_type +       +       +ForeignKey (id) +       +       +codename +       +       +CharField +       +       +name +       +       +CharField +       + + + + +django_contrib_contenttypes_models_ContentType + + +       +      ContentType       +       +id +       +       +AutoField +       +       +app_label +       +       +CharField +       +       +model +       +       +CharField +       + + + + +django_contrib_auth_models_Permission->django_contrib_contenttypes_models_ContentType + + + content_type (permission) + + + +django_contrib_auth_models_Group + + +       +      Group       +       +id +       +       +AutoField +       +       +name +       +       +CharField +       + + + + +django_contrib_auth_models_Group->django_contrib_auth_models_Permission + + + + permissions (group) + + + +django_contrib_auth_models_User->django_contrib_auth_models_AbstractUser + + + abstract +inheritance + + + +django_contrib_auth_models_User->django_contrib_auth_models_Permission + + + + user_permissions (user) + + + +django_contrib_auth_models_User->django_contrib_auth_models_Group + + + + groups (user) + + + +django_contrib_sessions_base_session_AbstractBaseSession + + +       +      AbstractBaseSession       +       +expire_date +       +       +DateTimeField +       +       +session_data +       +       +TextField +       + + + + +django_contrib_sessions_models_Session + + +       +      Session +< +AbstractBaseSession +>       +       +session_key +       +       +CharField +       +       +expire_date +       +       +DateTimeField +       +       +session_data +       +       +TextField +       + + + + +django_contrib_sessions_models_Session->django_contrib_sessions_base_session_AbstractBaseSession + + + abstract +inheritance + + + +django_contrib_admin_models_LogEntry + + +       +      LogEntry       +       +id +       +       +AutoField +       +       +content_type +       +       +ForeignKey (id) +       +       +user +       +       +ForeignKey (id) +       +       +action_flag +       +       +PositiveSmallIntegerField +       +       +action_time +       +       +DateTimeField +       +       +change_message +       +       +TextField +       +       +object_id +       +       +TextField +       +       +object_repr +       +       +CharField +       + + + + +django_contrib_admin_models_LogEntry->django_contrib_auth_models_User + + + user (logentry) + + + +django_contrib_admin_models_LogEntry->django_contrib_contenttypes_models_ContentType + + + content_type (logentry) + + + +rest_framework_authtoken_models_Token + + +       +      Token       +       +key +       +       +CharField +       +       +user +       +       +OneToOneField (id) +       +       +created +       +       +DateTimeField +       + + + + +rest_framework_authtoken_models_Token->django_contrib_auth_models_User + + user (auth_token) + + + +rest_framework_authtoken_models_TokenProxy + + +       +      TokenProxy       + + + + +rest_framework_authtoken_models_TokenProxy->rest_framework_authtoken_models_Token + + + proxy +inheritance + + + +django_rq_models_Queue + + +       +      Queue       +       +id +       +       +AutoField +       + + + + \ No newline at end of file diff --git a/docs/source/index.rst b/docs/source/index.rst index ae14b267f..0a308029a 100644 --- a/docs/source/index.rst +++ b/docs/source/index.rst @@ -30,7 +30,6 @@ command-line-interface importers_link PIPELINES-AVID - SOURCES .. toctree:: :hidden: @@ -47,10 +46,10 @@ VulnerableCode Documentation *VulnerableCode* provides a Web UI and API to access a database of known software package vulnerabilities with comprehensive information from upstream and downstream public -sources including packages affected by a vulnerability and packages that fix a +sources including packages affected by a vulnerability advisories and packages that fix a vulnerability. -There is a `public VulnerableCode database `_ +There is a `public vulnerableCode database `_ and the project also provides the tools to build your own instance of the database. Documentation overview @@ -100,7 +99,6 @@ Reference documentation for VulnerableCode features and customizations. - :ref:`command_line_interface` - :ref:`importers_link` - :ref:`pipelines_avid` -- :ref:`sources` .. rst-class:: column column2 bottom-right diff --git a/docs/source/introduction.rst b/docs/source/introduction.rst index 5143343a6..ca8d937fb 100644 --- a/docs/source/introduction.rst +++ b/docs/source/introduction.rst @@ -18,19 +18,17 @@ What can I do with VulnerableCode? **For security researchers and software developers, VulnerableCode offers a web UI and a JSON API to efficiently find if the FOSS packages and dependencies that -you use are affected by known vulnerabilities and to determine whether a later package version -fixes those vulnerabilities.** +you use are affected by known vulnerabilities advisories and to determine whether +a later package version fixes those vulnerabilities advisories.** -- With the web UI, you can search by package using Package URLs or search by - vulnerability, e.g., by CVE. From there you can navigate to the package - vulnerabilities and to the vulnerable packages. +- With the web UI, you can search by package using + Package URLs and navigate directly to advisory/AVID page - With the JSON API, you can perform package queries using Package URLs (`purl `__) or query - by vulnerability id ("VCID"). You can also query by CPEs and other vulnerability aliases. - The API provides paginated index and detail endpoints and includes indexes - of vulnerable CPEs and vulnerable Package URLs. + by advisory/AVID. + For comprehensive details, see the :ref:`api` section. You can install VulnerableCode locally or use the provided publicly hosted instance, or host your own installation. You can contact the VulnerableCode team diff --git a/docs/source/reference_framework_overview.rst b/docs/source/reference_framework_overview.rst index 1b2719172..92a8a524d 100644 --- a/docs/source/reference_framework_overview.rst +++ b/docs/source/reference_framework_overview.rst @@ -9,11 +9,11 @@ Framework Overview ┌──────────────────────┐ │ │ ┌─────────────────────┐ │ │ │ Database │ Has version ranges │ │ │ ├─────────────────────────────►│ in │ │ │ - │ │ │ Advisory │ As true as upstream │ │ + │ │ │ Advisory │ As true as upstream │ │ │ │ │ Model │ │ │ │ │ │ │ │ Frontend │ │ │ ├────────────┘ │ │ - │ Importers │ │ │ │ + │ Importers │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ @@ -25,39 +25,39 @@ Framework Overview │ │ │ │ │ │ - ┌───────────────────────┐ │ │ - │ │ │ │ - │ │◄──────────────────────────┘ ┌──────────────┐ │ - │ │ │Vulnerability │ │ - │ │ │ ID (auto) │ │ - │ Specific │ ├──────────────┤ │ - │ Improvers │ │ │ │ - │ │ │ Aliases │ │ - │ - BasicImproverer ├─────────────────────────────────────────►├──────────────┤ │ - │ │ │ ├─┘ - │ - TimeTravel │ │ Aff pkgs │ - │ │ ├──────────────┤ - │ - ... │ │ │ - │ │ │ Fixed pkgs │ - └───────────────────────┘ ├──────────────┤ - │ ... │ - └──────────────┘ - ▲ - │ - │ - │ - │ - │ - │ - │ - │ - │ - │ - │ - Independent to access any Advisory │ - ┌─────────────────────────┐ Generic to all data │ - │ │ │ - │ │ ───────────────────────────────────────────┘ + ┌──────────────────────────────────┐ │ │ + │ │ │ │ + │ │◄───────────────┘ ┌──────────────────────┐ + │ │ │ Package │ + │ │ │ │ + │ Specific │ ├──────────────────────┤ + │ Improvers │ │ purl │ + │ │ │ Package URL │ + │ - GroupAdvisoriesForPackages ├─────────────────────────────────────────►├──────────────────────┤ + │ - FlagGhostPackagePipeline │ │ Aff by advisories │ + │ - MarkUnfurlVersionRangePipeline │ │ │ + │ - ComputePackageRiskPipeline │ ├──────────────────────┤ + │ - ... │ │ │ + │ │ │ Fixed by advisories │ + └──────────────────────────────────┘ ├──────────────────────┤ + │ ... │ + └──────────────────────┘ + ▲ + │ + │ + │ + │ + │ + │ + │ + │ + │ + │ + │ + Independent to access any Advisory │ + ┌─────────────────────────┐ Generic to all data │ + │ │ │ + │ │ ───────────────────────────────────────────────────────┘ │ Generic Improvers │ │ │ │ - DefaultImprover │ diff --git a/docs/source/reference_importer_overview.rst b/docs/source/reference_importer_overview.rst index 104c7c6ec..04e56dd39 100644 --- a/docs/source/reference_importer_overview.rst +++ b/docs/source/reference_importer_overview.rst @@ -3,10 +3,10 @@ Importer Overview ================== -Importers are responsible for scraping vulnerability data such as vulnerabilities and their fixes +Importers are responsible for scraping advisories data such as advisories and their fixes and for storing the scraped information in a structured fashion. The structured data created by the importer then provides input to an improver (see :ref:`improver-overview`), which is responsible -for creating a relational model for vulnerabilities, affected packages and fixed packages. +for creating a relational model for advisories, affected packages and fixed packages. All importer implementation-related code is defined in :file:`vulnerabilites/importer.py`. diff --git a/docs/source/reference_improver_overview.rst b/docs/source/reference_improver_overview.rst index 4de0ff1c0..417f5d8a2 100644 --- a/docs/source/reference_improver_overview.rst +++ b/docs/source/reference_improver_overview.rst @@ -4,9 +4,9 @@ Improver Overview =================== Improvers improve upon already imported data. They are responsible for creating a relational -model for vulnerabilites and packages. +model for vulnerability advisories and packages. -An Improver is intended to contain data points about a vulnerability and the relevant discrete +An Improver is intended to contain data points about a advisory and the relevant discrete affected and fixed packages (in the form of `PackageURLs `_). There is no notion of version ranges here; all package versions must be explicitly specified. diff --git a/docs/source/reference_model_overview.rst b/docs/source/reference_model_overview.rst index 715b9958c..572f766a8 100644 --- a/docs/source/reference_model_overview.rst +++ b/docs/source/reference_model_overview.rst @@ -3,23 +3,9 @@ Model Overview ================= -This is a set of Graphviz-based graph diagrams of the application and admin models as of 2023-11-27: +This is a set of Graphviz-based graph diagrams of the application and admin models as of 2026-7-10: -Application ------------ - -.. figure:: images/vcio-db-application-2023-11-27-01.png - :alt: alternate text +.. figure:: images/vcio-model.svg + :alt: application and Admin model diagrams :width: 100% - :class: with-shadow - -.. rst-class:: clear-both - - -Admin ------ - -.. figure:: images/vcio-db-admin-2023-11-27-01.png - :alt: alternate text - :width: 70% - :class: with-shadow + :class: with-shadow clear-both diff --git a/docs/source/user-interface.rst b/docs/source/user-interface.rst index b907ecfd5..818fc9e5b 100644 --- a/docs/source/user-interface.rst +++ b/docs/source/user-interface.rst @@ -15,12 +15,12 @@ package URL or purl prefix fragment such as The search by packages is available at the following URL: - `https://public.vulnerablecode.io/packages/search/ `_ + `https://public.vulnerablecode.io `_ How to search by packages: - 1. Go to the URL: `https://public.vulnerablecode.io/packages/search/ `_ - 2. Enter the package URL or purl prefix fragment such as ``pkg:pypi`` + 1. Go to the URL: `https://public.vulnerablecode.io/ `_ + 2. Enter the package URL or purl prefix fragment such as ``pkg:pypi/aubio`` or by package name in the search box. 3. Click on the search button. @@ -35,39 +35,12 @@ Click on the package URL to view the package details. .. _vuln-search: -Search by vulnerabilities ---------------------------- +Navigate to Advisories +----------------------- -The search by vulnerabilities is a very powerful feature of -VulnerableCode. It allows you to search for vulnerabilities by the -VCID itself. It also allows you to search for -vulnerabilities by the CVE, GHSA, CPEs etc or by the -fragment of these identifiers like ``CVE-2021``. +You can directly navigate to an advisory page by specifying the importer name (for example, nvd) +and the advisory identifier (for example, CVE-2026-23918). `https://public.vulnerablecode.io/advisories/advisory_name/AVID` -The search by vulnerabilities is available at the following URL: - - `https://public.vulnerablecode.io/vulnerabilities/search/ `_ - -How to search by vulnerabilities: - - 1. Go to the URL: `https://public.vulnerablecode.io/vulnerabilities/search/ `_ - 2. Enter the VCID, CVE, GHSA, CPEs etc. in the search box. - 3. Click on the search button. - -The search results will be displayed in the table below the search box. - - .. image:: images/vuln_search.png - -Click on the VCID to view the vulnerability details. - - .. image:: images/vuln_details.png - -Affected packages tab shows the list of packages affected by the -vulnerability. - - .. image:: images/vuln_affected_packages.png - -Fixed by packages tab shows the list of packages that fix the -vulnerability. - - .. image:: images/vuln_fixed_packages.png +For example: + - `https://public.vulnerablecode.io/advisories/github_osv/GHSA-6xcx-gx7r-rccj `_ + - `https://public.vulnerablecode.io/advisories/nvd/CVE-2026-23918 `_