Vulnerability Lookup
Vulnerability Lookup facilitates quick correlation of vulnerabilities from various sources, independent of vulnerability IDs, and streamlines the management of Coordinated Vulnerability Disclosure (CVD). Vulnerability Lookup is also a collaborative platform where users can comment on security advisories and create bundles.
A Vulnerability Lookup instance operated by CIRCL is available at https://vulnerability.circl.lu.
Features
- A fast lookup API to search for vulnerabilities and find correlation per vulnerability identifier.
- Modular system to import different vulnerability sources.
- An API for adding new vulnerability including ID assigment, state and disclosure.
- Creation, edition and fork/copy of Security Advisories with the vulnogram editor.
- A user management system to support comment, report and admin of vulnerability advisories.
- Ability to add, review and share comments on vulnerability advisories.
- An extensive RSS and Atom support for vulnerabilities and comments.
- Integration of EPSS score.
A documentation is available here.
Sources and Feeders
- CISA Known exploited vulnerability DB (via HTTP).
- NIST NVD CVE importer (via API 2.0).
- CVEProject - cvelist (via git submodule repository).
- Cloud Security Alliance - GSD-Database (via git submodule repository).
- GitHub Advisory Database (via git submodule repository).
- PySec Advisory Database (via git submodule repository).
- OpenSSF Malicious Packages (via git submodule repository)
- Additional sources via CSAF including CERT-Bund, CISA, Cisco, nozominetworks, Open-Xchange, Red Hat, Sick, Siemens.
- VARIoT IoT vulnerabilities database.
- JVN iPedia, Japan database of vulnerability countermeasure information.
- Tailscale security bulletins.
Installation
Requirements
- Recent version of Python 3.10
- Recent version of Poetry
- Kvrocks database
Installation instructions are available in the documentation.
Why Vulnerability Lookup ?
Vulnerability Lookup is a rewritten version of cve-search, an open-source tool initially aimed at maintaining a local CVE database. The original cve-search had design and scalability limitations, and its public instance operated by CIRCL is maxing out at 20,000 queries per second.
As vulnerability sources have diversified beyond the NVD CVE, a new tool was needed to support the CVD process, allowing for bundling, commenting, publishing, and extending vulnerability information in a collaborative manner.
Architecture
License
vulnerability-lookup is free software released under the "GNU Affero General Public License v3.0".
Copyright (c) 2023-2024 Computer Incident Response Center Luxembourg (CIRCL)
Copyright (c) 2023-2024 Alexandre Dulaunoy - https://github.com/adulau
Copyright (c) 2023-2024 Raphaël Vinot - https://github.com/Rafiot
Copyright (c) 2024 Cédric Bonhomme - https://github.com/cedricbonhomme