Closed prabhu closed 4 years ago
There is now an api for performing vendor, name and version based searches - https://github.com/AppThreat/vulndb/blob/master/vulndb/lib/db.py#L142
Such searches are non-indexed but are still performant to an extent.
Package search is purely based on name and version string
https://github.com/AppThreat/vulndb/blob/master/vulndb/lib/db.py#L114
This leads to situations where same packages belonging to different vendors could get flagged up erroneously (false positives). For example,
postgresql
client could be mis-interpreted as the server since the names are the same differing only in the group.Some effort is required to fix this limitation