Snyk's public vulnerability database
Home Page: https://snyk.io/vuln
You can browse the full and up-to-date Vulnerability DB on Snyk's Vulnerability Database, and if you want to consume the DB feed just send a note to [email protected] or through the form on https://snyk.io/partners
Is this abandoned or closed source now - there haven't been any updates since Feb.
We've noticed some odd data in the vulndb snapshot files. Eg,
That vuln item, which is for moment and claims is nsp id 55, has the following semver property:
{
"vulnerable": "<=2.11.1",
"unaffected": "<0.0.0"
}
Typically a simple semver would be more like:
{
"vulnerable": "<=2.11.1",
"unaffected": ">2.11.1"
}
Is there some special meaning for "<0.0.0"?
There seem to be 12 instances of that in the current snapshot.
Also, some additional weirdness regarding this vuln item - nsp no longer tracks nsp id 55. By googling, I found a link to it with the following "title" - Regular Expression Denial of Service - Node Security Platform ... with a link to https://nodesecurity.io/advisories/55 , but that 404's and trolling around their advisories, I can seem to find it at all.
The README.md states the following:
The data.json file contains the raw data about the vulnerability.
It can optionally reference other files, like the vulnerability
description (README.md) or patch files located in the same folder.
But there is no data.json files anywhere, where is parcelable format of the vulnerabilities?
It's unclear based on https://support.snyk.io/frequently-asked-questions/reporting-vulnerabilities/how-do-i-report-a-vulnerability-or-submit-fixesupdates-for-existing-vulnerabilities how this should be reported, but I believe https://snyk.io/vuln/npm:superagent:20170807 has been resolved (based on the PR that was linked from the vulnerability).
Hello Snyk Team,
Are there any plans in the future to support offline use of Snyk by caching the vulnerability database?
The entry at https://snyk.io/vuln/npm:cookie-signature:20180111 claims that users must upgrade to 1.1.0 to mitigate a timing attack. This is incorrect, and is causing trouble for projects that support older versions of node.js (tj/node-cookie-signature#27).
All versions 1.0.4 and above already had mitigation for timing attacks in place. Version 1.1.0 is simply an update (internal change) that switches from an alternate timing safe comparison method to a helper included as part of more recent node. Original discussion can be found at tj/node-cookie-signature#24 (comment)
IMPORTANT: the older report at https://github.com/snyk/vulnerabilitydb/tree/master/data/npm/cookie-signature/20160804 is correct. I am only referring to the 20180111 report linked above, which is apparently not synced to this repository yet.
Hi:
I was wondering if this data is meant to be somewhat current? It looks like it has not been updated in a few months... I think there has been a few new vulnerabilities since then, right?
Thanks!
Greetings folks! I maintain this library:
https://github.com/google/google-auth-library-nodejs
It shows us as having a vuln with node-forge. We are using 0.7.4:
https://github.com/google/google-auth-library-nodejs/blob/master/package-lock.json#L1182
This doc says the remediation is to upgrade to 0.7.4:
https://snyk.io/vuln/npm:node-forge:20180226
Yet... it still being marked as vulnerable. Looks like the DB may need to be updated. Any insight would be super helpful. Thanks!
Hi, I'm trying to run npm install on fresh copy of this repo and I'm getting this error:
npm ERR! Linux 4.11.4-300.fc26.x86_64
npm ERR! argv "/usr/bin/node" "/usr/bin/npm" "install"
npm ERR! node v6.10.3
npm ERR! npm v3.10.10
npm ERR! code E404
npm ERR! 404 Not found : @snyk/maven-semver
npm ERR! 404
npm ERR! 404 '@snyk/maven-semver' is not in the npm registry.
npm ERR! 404 You should bug the author to publish it (or use the name yourself!)
npm ERR! 404 It was specified as a dependency of '@snyk/vulndb'
npm ERR! 404
npm ERR! 404 Note that you can also install from a
npm ERR! 404 tarball, folder, http url, or git url.
I can't find maven-semver anywhere, is this an error on my part? Thanks for your help!
Hi,
are you guys going to keep syncing the data? Seems like it's not been updated for a while ๐
Just wanted to know ๐
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google โค๏ธ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.