README
¶
vulns
Go library for fetching vulnerability data from multiple sources using Package URLs (PURLs) as the primary identifier.
Installation
go get github.com/git-pkgs/vulns
Usage
Query vulnerabilities for a package:
package main
import (
"context"
"fmt"
"log"
"github.com/git-pkgs/purl"
"github.com/git-pkgs/vulns"
"github.com/git-pkgs/vulns/osv"
)
func main() {
ctx := context.Background()
source := osv.New()
p := purl.MakePURL("npm", "lodash", "4.17.20")
results, err := source.Query(ctx, p)
if err != nil {
log.Fatal(err)
}
for _, v := range results {
fmt.Printf("%s: %s (severity: %s)\n", v.ID, v.Summary, v.SeverityLevel())
if fixed := v.FixedVersion("npm", "lodash"); fixed != "" {
fmt.Printf(" Fixed in: %s\n", fixed)
}
}
}
Sources
OSV (Open Source Vulnerabilities)
Free, public API from Google. No authentication required. Supports batch queries up to 1000 packages.
import "github.com/git-pkgs/vulns/osv"
source := osv.New()
// Batch query
results, err := source.QueryBatch(ctx, []*purl.PURL{p1, p2, p3})
deps.dev
Free API from Google with no authentication. Covers npm, PyPI, Go, Maven, Cargo, NuGet, RubyGems. Supports batch queries up to 5000 packages.
import "github.com/git-pkgs/vulns/depsdev"
source := depsdev.New()
GitHub Security Advisories (GHSA)
Free public API. Authentication optional but recommended to avoid rate limits.
import "github.com/git-pkgs/vulns/ghsa"
source := ghsa.New()
// With authentication for higher rate limits:
source := ghsa.New(ghsa.WithToken("ghp_xxxx"))
NVD (National Vulnerability Database)
NIST's CVE database. Free but rate-limited. API key recommended.
- Without key: 5 requests per 30 seconds
- With key: 50 requests per 30 seconds
import "github.com/git-pkgs/vulns/nvd"
source := nvd.New()
// With API key for higher rate limits:
source := nvd.New(nvd.WithAPIKey("your-api-key"))
Note: NVD uses CVE/CPE identifiers, so PURL-to-package matching is approximate.
Grype Database
Local SQLite database from Anchore. Updated every few hours at grype.anchore.io. No network requests after initial download.
import "github.com/git-pkgs/vulns/grypedb"
// Auto-download if missing
source, err := grypedb.New("/path/to/cache", grypedb.WithAutoDownload())
if err != nil {
log.Fatal(err)
}
defer source.Close()
// Or download manually
dbPath, err := grypedb.Download(ctx, "/path/to/cache")
source, err := grypedb.New(dbPath)
VulnCheck
Commercial API with native PURL support. Requires authentication.
import "github.com/git-pkgs/vulns/vulncheck"
source := vulncheck.New(vulncheck.WithToken("your-api-token"))
Vulnerability-Lookup
Free, public API from vulnerability-lookup.org. Queries by vendor/product, so PURL mapping may be approximate.
import "github.com/git-pkgs/vulns/vl"
source := vl.New()
Data Model
All sources return vulnerabilities in OSV format:
type Vulnerability struct {
ID string
Summary string
Details string
Aliases []string // Other IDs (CVE, GHSA, etc.)
Published time.Time
Modified time.Time
Severity []Severity
Affected []Affected
References []Reference
}
Working with CVSS
The library includes a CVSS parser supporting v2.0, v3.0, v3.1, and v4.0:
// Get severity level
level := vuln.SeverityLevel() // "critical", "high", "medium", "low", "unknown"
// Get numeric score
score := vuln.CVSSScore() // 0.0-10.0, or -1 if unavailable
// Get full CVSS details
cvss := vuln.CVSS()
if cvss != nil {
fmt.Printf("CVSS %s: %.1f (%s)\n", cvss.Version, cvss.Score, cvss.Level)
}
// Parse a CVSS vector directly
cvss, err := vulns.ParseCVSS("CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N")
Version Matching
Check if a specific version is affected:
if vuln.IsVersionAffected("npm", "lodash", "4.17.20") {
fmt.Println("Version is vulnerable")
}
if fixed := vuln.FixedVersion("npm", "lodash"); fixed != "" {
fmt.Printf("Upgrade to %s\n", fixed)
}
Source Interface
All sources implement the same interface:
type Source interface {
Name() string
Query(ctx context.Context, p *purl.PURL) ([]Vulnerability, error)
QueryBatch(ctx context.Context, purls []*purl.PURL) ([][]Vulnerability, error)
Get(ctx context.Context, id string) (*Vulnerability, error)
}
Supported Ecosystems
| Ecosystem | OSV | deps.dev | GHSA | NVD | Grype | VulnCheck | vl |
|---|---|---|---|---|---|---|---|
| npm | yes | yes | yes | yes | yes | yes | yes |
| PyPI | yes | yes | yes | yes | yes | yes | yes |
| RubyGems | yes | yes | yes | yes | yes | yes | yes |
| crates.io | yes | yes | yes | yes | yes | yes | yes |
| Go | yes | yes | yes | yes | yes | yes | yes |
| Maven | yes | yes | yes | yes | yes | yes | yes |
| NuGet | yes | yes | yes | yes | yes | yes | yes |
| Packagist | yes | - | yes | yes | yes | yes | yes |
| Hex | yes | - | yes | - | yes | yes | - |
| Pub | yes | - | yes | - | yes | yes | - |
License
MIT
Documentation
¶
Overview ¶
Package vulns provides a unified interface for querying vulnerability data from various sources. It uses PURL (Package URL) as the primary identifier and OSV (Open Source Vulnerabilities) format as the canonical data model.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func AffectedVersionRange ¶
AffectedVersionRange returns a vers range string representing the affected versions. Events are processed sequentially, emitting a constraint for each introduced/fixed or introduced/lastAffected pair.
Types ¶
type Affected ¶
type Affected struct {
Package Package `json:"package"`
Ranges []Range `json:"ranges,omitempty"`
Versions []string `json:"versions,omitempty"`
EcosystemSpecific map[string]any `json:"ecosystem_specific,omitempty"`
DatabaseSpecific map[string]any `json:"database_specific,omitempty"`
}
Affected describes which package versions are affected.
type CVSS ¶
CVSS holds parsed CVSS information.
func CVSSFromSeverity ¶
CVSSFromSeverity extracts and parses CVSS information from a Severity entry.
type Credit ¶
type Credit struct {
Name string `json:"name"`
Contact []string `json:"contact,omitempty"`
Type string `json:"type,omitempty"`
}
Credit gives credit to vulnerability reporters/fixers.
type Event ¶
type Event struct {
Introduced string `json:"introduced,omitempty"`
Fixed string `json:"fixed,omitempty"`
LastAffected string `json:"last_affected,omitempty"`
Limit string `json:"limit,omitempty"`
}
Event is a version event (introduced, fixed, etc).
type Package ¶
type Package struct {
Ecosystem string `json:"ecosystem"`
Name string `json:"name"`
PURL string `json:"purl,omitempty"`
}
Package identifies a package.
type Source ¶
type Source interface {
// Name returns the name of this source (e.g., "osv", "nvd").
Name() string
// Query returns vulnerabilities affecting the package identified by the PURL.
// If the PURL includes a version, only vulnerabilities affecting that version
// are returned. If no version is specified, all known vulnerabilities for the
// package are returned.
Query(ctx context.Context, p *purl.PURL) ([]Vulnerability, error)
// QueryBatch queries multiple packages at once. Returns a slice of results
// in the same order as the input PURLs.
QueryBatch(ctx context.Context, purls []*purl.PURL) ([][]Vulnerability, error)
// Get fetches a specific vulnerability by its ID.
Get(ctx context.Context, id string) (*Vulnerability, error)
}
Source represents a vulnerability data source.
type Vulnerability ¶
type Vulnerability struct {
ID string `json:"id"`
Summary string `json:"summary,omitempty"`
Details string `json:"details,omitempty"`
Aliases []string `json:"aliases,omitempty"`
Modified time.Time `json:"modified"`
Published time.Time `json:"published"`
Withdrawn *time.Time `json:"withdrawn,omitempty"`
References []Reference `json:"references,omitempty"`
Affected []Affected `json:"affected,omitempty"`
Severity []Severity `json:"severity,omitempty"`
Credits []Credit `json:"credits,omitempty"`
DatabaseSpecific map[string]any `json:"database_specific,omitempty"`
}
Vulnerability represents a security vulnerability in OSV format. This is the canonical format used across all sources.
func (*Vulnerability) CVSS ¶
func (v *Vulnerability) CVSS() *CVSS
CVSS returns parsed CVSS information from the vulnerability's severity data. Returns nil if no CVSS information is available.
func (*Vulnerability) CVSSScore ¶
func (v *Vulnerability) CVSSScore() float64
CVSSScore returns the highest CVSS score if available, or -1 if not.
func (*Vulnerability) FixedVersion ¶
func (v *Vulnerability) FixedVersion(ecosystem, name string) string
FixedVersion returns the first fixed version for the given package, if available.
func (*Vulnerability) IsVersionAffected ¶
func (v *Vulnerability) IsVersionAffected(ecosystem, name, version string) bool
IsVersionAffected checks if a specific version of a package is affected.
func (*Vulnerability) SeverityLevel ¶
func (v *Vulnerability) SeverityLevel() string
SeverityLevel returns a normalized severity level (critical, high, medium, low, unknown).
Source Files
Directories
¶
| Path | Synopsis |
|---|---|
|
Package depsdev provides a vulnerability source backed by Google's deps.dev API.
|
Package depsdev provides a vulnerability source backed by Google's deps.dev API. |
|
Package ghsa provides a vulnerability source backed by the GitHub Security Advisory API.
|
Package ghsa provides a vulnerability source backed by the GitHub Security Advisory API. |
|
Package grypedb provides a vulnerability source backed by the Grype vulnerability database.
|
Package grypedb provides a vulnerability source backed by the Grype vulnerability database. |
|
Package nvd provides a vulnerability source backed by the NIST NVD API.
|
Package nvd provides a vulnerability source backed by the NIST NVD API. |
|
Package osv provides a vulnerability source backed by the OSV API.
|
Package osv provides a vulnerability source backed by the OSV API. |
|
Package vl provides a vulnerability source backed by vulnerability-lookup.org (CIRCL).
|
Package vl provides a vulnerability source backed by vulnerability-lookup.org (CIRCL). |
|
Package vulncheck provides a vulnerability source backed by the VulnCheck API.
|
Package vulncheck provides a vulnerability source backed by the VulnCheck API. |