Welcome to the Vulnerability Data Tools project! We're building an open source ecosystem for enriching and maintaining high-quality vulnerability data.
The security community relies on accurate vulnerability data to protect systems and users. This project provides tools and workflows to help maintain and improve that data, especially when upstream sources like NVD have gaps or inaccuracies.
The project consists of three main repositories that work together:
- vulnerability-data-tools (this repo): The core tools and scripts for processing vulnerability data
- vulnerability-data: The primary vulnerability data repository in a format that can generate multiple output formats
- nvd-data-overrides: Generated NVD-compatible data that enriches upstream vulnerability information
Want to help improve vulnerability data? Here's how to begin:
- Check out our contribution guide for detailed technical instructions
- Join our Anchore Community Discourse to connect with the community
- Browse current issues to find ways to help
We welcome contributors of all skill levels! Whether you're reporting issues, improving documentation, or adding new features, your help makes this project better.
Feel free to:
- Join discussions in our Anchore Community Discourse
- Open issues for bugs or suggestions
- Submit pull requests with improvements
- Help review pull requests
Software like Grype uses NVD data to identify vulnerabilities in artifacts not covered by other data sources. When NVD data has gaps or inaccuracies, we need a way to maintain and share corrections. Creating an open source project helps the whole community benefit from these improvements.
We'll continue maintaining this project even if NVD or similar services improve. Different vulnerability databases support different ecosystems, so having tools to enrich and cross-reference vulnerability data remains valuable. We see this project as complementary to existing vulnerability databases, helping to fill gaps and add value where needed.
The project currently uses CPEs to maintain compatibility with tools that expect NVD-format data. However, our underlying data format is designed to support multiple output formats, including PURL-based formats like OSV. The goal is to be flexible while maintaining compatibility with existing tools.
You can help in many ways:
- Report data quality issues you find
- Help improve the documentation
- Submit corrections to vulnerability data
- Add support for new package ecosystems
- Review pull requests
- Join discussions and share ideas
Possibly! However, our focus right now is on building useful tools and proving they work. Finding a long-term organizational home will come naturally once we've demonstrated value to the community.
This project is licensed under the Apache 2.0 License.