Veracode Vulnerability Database
SCA results pull data from the Veracode Vulnerability Database, which includes public CVEs in addition to exclusive vulnerability content that is not available elsewhere.
Sources
The Veracode Vulnerability Database catalogs open-source libraries, their licenses, and associated vulnerabilities using the following resources.
Libraries
- Maven Central (Java, Kotlin, Scala)
- PyPI (Python)
- RubyGems (Ruby)
- npm (JavaScript, TypeScript)
- CocoaPods (Objective-C, Swift)
- Bower (JavaScript)
- Packagist (PHP)
- GitHub (Go)
- NuGet (.NET)
- Google Maven (Kotlin)
- Spring Maven (Java, Kotlin)
- Cloudera Maven (Java)
Vulnerabilities
Veracode researchers use multiple sources to populate the vulnerability database.
- National Vulnerability Database
- OSV
- GitHub issues and commits
- Bug trackers (Bugzilla and Jira)
- Mailing lists
- Product advisories and announcements
The CVSS scores in Veracode's Vulnerability Database match the NIST score in the NVD but don't match the CNA or ADP scores listed in the NVD. When a NIST score is not available, we use the CVSS v3 score from OSV. If OSV doesn't provide a v3 score, our security research team calculates a score based on its research. We do not yet support CVSS v4.
Exploit information
Veracode SCA provides the following exploitability information that you can combine with vulnerability severity ratings to prioritize remediation.
- Exploit Prediction Scoring System (EPSS) estimates the probability that an attacker will exploit a vulnerability.
- Exploit Observed indicates whether an attacker has already exploited a vulnerability or whether vulnerable code is publicly available.
EPSS
FIRST.org, the organization that created the Common Vulnerability Scoring System (CVSS), developed the Exploit Prediction Scoring System (EPSS). EPSS has two components: probability and percentile.
- EPSS probability: the EPSS model produces an
epss_scorebetween 0 and 1 (0 and 100%) that estimates the probability that a software vulnerability will be exploited in the next 30 days. The higher the score, the greater the probability that a vulnerability will be exploited. - EPSS percentile: the EPSS model also provides the
epss_percentileof the current EPSS score, which shows the percentage of all vulnerabilities with the same or lower EPSS scores.
EPSS data is updated daily. Only vulnerabilities with an assigned CVE number published by cve.org have an EPSS score. For example, SRCCLR-SID-1538 has no EPSS score because it does not have a CVE number, and CVE-2014-1862 has no EPSS score because its status is reserved, not published.
Exploit observed
When an exploit is observed in the wild or when proof of concept (POC) code becomes publicly available, the exploit_observed field is true and the exploit_source field displays the source of this information. Veracode’s sources are the Exploit-DB from OffSec and the Known Exploited Vulnerabilities (KEV) catalog from the Cybersecurity & Infrastructure Security Agency (CISA).
Searching the vulnerability database
You can search the vulnerability database to determine if a library is safe prior to adding it to your code. You can also use it to learn important details about a library, such as the license in use and insight into specific vulnerabilities.
You can use the following keywords filter your search results in the Veracode Vulnerability Database:
| Keyword | Usage | Possible Values | Example |
|---|---|---|---|
type | Restricts results to either libraries or vulnerabilities | library, vulnerability | type: library |
language | Restricts results to the specified language | java, ruby, python, objectivec, go,php | language: go |
released | Filters results to latest library versions or vulnerabilities released since the specified date | yyyy-mm-dd | released: 2017-05-25 |
source | Restricts results to libraries catalogued from the specified source | maven, pypi, gem, npm, bower, cocoapods, packagist | source: bower |
license | Restricts results to libraries with the specified license | apache, mit, bsd, gpl | license: gpl |
severity | Restricts results to vulnerabilities with a severity between the specified range. Requires type: vulnerability. | Two numbers from 0.0 to 10 separated by two periods | severity: 1.2..9.9 |
vulnerable | Restricts results to libraries with vulnerabilities associated with them | true | vulnerable: true |
vulnerable_method | Restricts results to vulnerabilities with vulnerable methods associated with them | true | vulnerable_method: true |
enhanced | Restricts results to vulnerabilities with full write-up details | true | enhanced: true |
Vulnerabilities in the database
Select a vulnerability in the database to review the following information about the selected vulnerability.
Risk score
This area provides a detailed breakdown of the CVSS score, including the scores for each CVSS vector.
Summary
The Summary area provides a breadth of information related to the selected vulnerability, including:
- Technical overview: a paragraph describing the vulnerability.
- Severity CVSS score: relative severity of the vulnerability. A detailed explanation of the CVSS score is available in the CVSS guide.
- Library vulnerability information: the name of the library and a dropdown menu with one or more of the vulnerable version ranges for the library, along with the fixed and latest versions.
Technical Information
For Enhanced artifacts, this area provides the full writeup describing the vulnerability with analysis of the issue.
Library fix info
This area provides complete information regarding how to fix a library that contains a vulnerability. You can view the affected library version ranges here in addition to safe versions to use and the code for updating to the safe version. In some cases, multiple libraries are associated with the same vulnerability. This area includes those libraries as well.
References
This area provides external references related to the vulnerability, including blog posts, the GitHub pull request for the fix, and other links with relevant information.
Library signatures
This area allows users to view the coordinates corresponding to the vulnerable libraries that Veracode SCA uses to identify the vulnerability.
Vulnerable methods
You can view the actual vulnerable part of the library. Even if a vulnerable library is in use, Veracode SCA can identify if a vulnerable method is in use. If the specific vulnerable method is not in use, the project might not be subject to a potential exploit.
Libraries in the vulnerability database
Select a library in the vulnerability database to review the following information about the selected library.
Summary
This page shows the history of a given library, organized by either the vulnerability severities or by the version released. With each list of library vulnerabilities and versions, there is a search box for narrowing down the list of vulnerabilities or versions.
Versions
You can use the Versions page to see vulnerability, license, and library evidence information sorted by library version. You can filter the list to only show library versions that include vulnerabilities.