Skip to content

[BREAKING] Improve fix version precision #214

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
prabhu merged 4 commits into from
May 1, 2025
Merged

[BREAKING] Improve fix version precision #214

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
e04cf13
Include vers in cve_data to improve fix_version detection
prabhu May 1, 2025
18fcec8
Show fix version in cli
prabhu May 1, 2025
c718b76
cli tests
prabhu May 1, 2025
41cb730
cli tests
prabhu May 1, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 6 additions & 1 deletion .github/workflows/pythonapp.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,9 +49,14 @@ jobs:
npm install -g @cyclonedx/cdxgen
cdxgen -t python -o bom.json . -p --profile research
uv sync --all-extras --dev
uv run vdb --download-image
uv run vdb --cache --only-osv
uv run vdb --bom bom.json
if: ${{ matrix.python-version == '3.13' && matrix.os == 'ubuntu-latest' }}
- name: CLI tests
run: |
uv run vdb --search "pkg:maven/org.springframework/spring-core@6.0.13"
uv run vdb --search "pkg:maven/org.hibernate.orm/hibernate-core@6.2.9.Final"
uv run vdb --search "pkg:nuget/Microsoft.Data.SqlClient@5.0.1"
uv run vdb --search "pkg:nuget/Microsoft.IdentityModel.JsonWebTokens@6.21.0"
uv run vdb --search "pkg:nuget/System.Drawing.Common@5.0.0"
if: ${{ matrix.python-version == '3.13' && matrix.os == 'ubuntu-latest' }}
34 changes: 29 additions & 5 deletions INTEGRATION.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,12 +11,36 @@ When used as a Python library, the only dependency is Python >= 3.10. When using
The vulnerability database comprises two SQLite database files.

- data.index.vdb6 - A smaller index database optimized for quick purl or cpe string searches and vers-based range comparisons.
- data.vdb6 - Full CVE source database containing normalized data in CVE 5.1 specification formation and purl prefix.

![Index schema](./docs/vdb-index-schema.png)
### cve_index schema

- data.vdb6 - Full CVE source database containing normalized data in CVE 5.1 specification formation and purl prefix.
```sql
CREATE TABLE if not exists cve_index(
cve_id TEXT NOT NULL,
type TEXT NOT NULL,
namespace TEXT,
name TEXT NOT NULL,
vers TEXT NOT NULL,
purl_prefix TEXT NOT NULL
)
```

![Data schema](./docs/vdb-schema.png)
### cve_data schema

```sql
CREATE TABLE if not exists cve_data(
cve_id TEXT NOT NULL,
type TEXT NOT NULL,
namespace TEXT,
name TEXT NOT NULL,
source_data BLOB NOT NULL,
override_data BLOB,
source_data_hash TEXT NOT NULL,
vers TEXT NOT NULL,
purl_prefix TEXT NOT NULL
)
```

## Searching for CVEs

Expand Down Expand Up @@ -70,8 +94,8 @@ Refer to the vers [documentation](https://github.com/package-url/purl-spec/blob/
Search the `cve_index` table in the index database first to retrieve any matching cve_id and purl_prefix values. Use these two column values to retrieve the full CVE source information from the `cve_data` table. An example query is shown below:

```sql
SELECT DISTINCT cve_id, type, namespace, name, source_data_hash, json(source_data), json(override_data), purl_prefix FROM cve_data
WHERE cve_id = ? AND purl_prefix = ?
SELECT DISTINCT cve_id, type, namespace, name, source_data_hash, json(source_data), json(override_data), vers, purl_prefix FROM cve_data
WHERE cve_id = ? AND vers = ? AND purl_prefix = ?
GROUP BY purl_prefix
ORDER BY cve_id DESC;
```
Expand Down
Loading