The idea of the Vulnerability Lake is to provide a useful source of information about known vulnerabilities. Since 2020 many organisations - meanwhile over 300 - joined their strengths under the lead of the NIST to improve public knowledge about known vulnerabilities as official CNAs, CVE numbering authorities. These are organisations owning a certain range of CVEs where they can assign numbers to issues concerning their products.
The NVD, respectively MITRE collects and curates the information supplied and supplies this collection as data feed. Since a while we use this data stream to assess your components of new vulnerabilities. Given you have not blocked email, you most likely would receive an email whenever a new vulnerability enters that is affecting any of your projects components.
With Vulnerability Lake we provide this data as a public source. You may use it to search for specific components versions, or providers. There is a CPE search and shortly you will be able to search for CVEs and pURLs. The latter is not trivial, as the NVD data is more focused towards providers than open source, which makes identification sometimes difficult.
Currently there are two search modes: standard and expert. While the default gives you input masks the expert mode allows to code the query string in one, like: ` a:apache:tomcat:2.1.0 `
However, probably the most important might be that you may call the data through an API. This will allow you to check for vulnerability information in an automated way. You will find the details in the API spec.
Please see also the Management of Vulnerabilities article for further information on how to analyse the impact of particular CVEs.
Article is closed for comments.