CVE for application vulnerabilities from public sources often lacks critical information such as Class or method names (source and sink information). Sometimes, even aliases for the package name, affected and fixed versions could be incorrect. This repo aims to be provide useful human curated annotations for existing known vulnerabilities. Scope will be initially limited to only the following ecosystem:
- maven
- npm
- pip
To submit an annotation, open a pull request using the below toml template.
Annotation information is presented in TOML format.
[annotation]
id = "CVE/GHSA/NPM reference"
# related_ids = ["CVE1", "CVE2"]
date = "YYYY-MM-DD"
repository = ""
# Package url like format with scheme, type, namespace, name without version, qualifiers and subpath
# https://github.com/package-url/purl-spec
# Eg: pkg:maven/commons-io/commons-io or pkg:npm/amdefine or pkg:pypi/pillow
package = "pkg:maven/commons-io/commons-io"
# Optional: Related packages affected
# related_packages = { "pkg1" = "Version range", "pkg2" = "Version range" }
# Optional: Categories this advisory falls under. Valid categories are:
# "code-execution", "crypto-failure", "denial-of-service", "file-disclosure"
# "format-injection", "memory-corruption", "memory-exposure", "privilege-escalation"
categories = ["code-execution"]
# Freeform keywords which describe this vulnerability (optional)
keywords = ["prototype-pollution", ""]
cwe = ""
# URLs related to this vulnerability
related = [""]
# URL to any publicly available exploits
exploits = ""
# Metadata about the scope of the vulnerability
[affected]
# Table of canonical paths to vulnerable functions (optional)
# mapping to which versions impacted by this advisory used that particular
# name (e.g. if the function was renamed between versions).
# The path syntax is `package::path::to::function`, without any
# parameters or additional information, followed by a list of version reqs.
# Version range format - https://developer.github.com/v4/object/securityvulnerability/
# = 0.2.0 denotes a single vulnerable version.
# <= 1.0.8 denotes a version range up to and including the specified version
# < 0.1.11 denotes a version range up to, but excluding, the specified version
# >= 4.3.0, < 4.3.5 denotes a version range with a known minimum and maximum version.
# >= 0.0.1 denotes a version range with a known minimum, but no known maximum
# > 2.1.0, < 2.1.8
# > 2.0.0, <= 2.0.14
functions = { "package::MyClass::vulnerable_function" = ["< 1.2.0, >= 1.1.0"] }
# Versions which include fixes for this vulnerability (mandatory)
[versions]
patched = [">= 1.2.0"]
# Versions which were never vulnerable (optional)
#unaffected = ["< 1.1.0"]
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent