Data sources
Complete list of data sources used by Grype for vulnerability scanning
The following are a list of data sources used to directly match packages to vulnerabilities in Grype:
| Data Source | Vunnel Provider | Ecosystems |
|---|---|---|
| AlmaLinux OSV Database | alma | RPM |
| Alpine SecDB | alpine | APK |
| Amazon Linux Security Center | amazon | RPM |
| Microsoft AzureLinux OVAL | mariner | RPM |
| Bitnami Vulnerability Database | bitnami | Bitnami |
| Chainguard Security | chainguard | APK |
| Chainguard Libraries (OpenVEX) | chainguard_libraries | |
| Debian Security Tracker | debian | DPKG |
| ECHO Security | echo | DPKG |
| GitHub Security Advisories | github | .NET, GitHub Actions, Go, Java, JavaScript, Python, Ruby, Rust |
| Microsoft CBL-Mariner OVAL | mariner | RPM |
| MINIMOS Security | minimos | APK |
| National Vulnerability Database (NVD) | nvd | .NET, APK, Go, Java, JavaScript, Python, Ruby, Rust |
| Oracle Linux Security | oracle | RPM |
| Red Hat Security Data API | rhel | RPM |
| SUSE Security OVAL | sles | RPM |
| Ubuntu CVE Tracker | ubuntu | DPKG |
| Wolfi Security | wolfi | APK |
Capabilities
Here are the capabilities of each data source as Grype uses them:
What do these columns mean?
For a detailed explanation of the columns in the table, please see the Capabilities overview.| Data Source | Advisories | Disclosures | Fixes | Track by Source Package | ||
|---|---|---|---|---|---|---|
| Affected | Date | Versions | Date | |||
| AlmaLinux OSV Database | ALSA | |||||
| Alpine SecDB | ||||||
| Amazon Linux Security Center | ALAS | |||||
| Microsoft AzureLinux OVAL | ||||||
| Bitnami Vulnerability Database | ||||||
| Chainguard Security | CGA | |||||
| Chainguard Libraries (OpenVEX) | CGA | |||||
| Debian Security Tracker | DSA | |||||
| ECHO Security | ECHO | |||||
| GitHub Security Advisories | GHSA | |||||
| Microsoft CBL-Mariner OVAL | ||||||
| MINIMOS Security | ||||||
| National Vulnerability Database (NVD) | CVE | |||||
| Oracle Linux Security | ELSA | |||||
| Red Hat Security Data API | RHSA | |||||
| SUSE Security OVAL | SUSE-SU | |||||
| Ubuntu CVE Tracker | USN | |||||
| Wolfi Security | CGA | |||||
Auxiliary data
We additionally have auxiliary data sources that are used to enhance vulnerability matching in Grype:
| Data Source | Vunnel Provider | Description |
|---|---|---|
| Exploit Prediction Scoring System | epss | Data-driven effort by FIRST to predict the likelihood that a software vulnerability will be exploited. Provides daily-updated probability scores (0-1) and percentile rankings for CVE prioritization. |
| CISA Known Exploited Vulnerabilities | kev | CISA's authoritative catalog of vulnerabilities known to be actively exploited in the wild. Provides exploitation status, required remediation actions, due dates, and ransomware campaign associations. |
These sources are cross-cutting in nature and are not tied to a specific distribution or ecosystem (though, primarily enriching information about CVEs specifically).