CVE Matching
Find vulnerabilities with intelligent CVE-derivation matching and confidence scores.
Endpoint
GET /api/v1/vulns/:packagePath Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
package | string | Yes | Package name to match |
Query Parameters
| Parameter | Type | Default | Description |
|---|---|---|---|
version | string | - | Package version for more accurate matching |
Response
json
{
"success": true,
"data": {
"package": "curl",
"version": "8.4.0",
"matches": [
{
"cve": "CVE-2024-0853",
"confidence": "high",
"source": "nixpkgs-tracker",
"severity": "medium",
"title": "curl OCSP verification bypass",
"affectedVersions": "< 8.5.0",
"fixedIn": "8.5.0",
"references": [
"https://curl.se/docs/CVE-2024-0853.html",
"https://nvd.nist.gov/vuln/detail/CVE-2024-0853"
]
}
],
"osvMatches": {
"Debian": 15,
"Ubuntu": 12,
"Alpine": 8
}
},
"timestamp": "2024-01-15T12:00:00.000Z"
}Response Fields
Match Object
| Field | Type | Description |
|---|---|---|
cve | string | CVE identifier |
confidence | string | Match confidence: high, medium, low |
source | string | Data source: nixpkgs-tracker, osv, ghsa |
severity | string | Severity level: critical, high, medium, low |
title | string | Vulnerability title/description |
affectedVersions | string | Affected version range |
fixedIn | string | Version where the fix was applied |
references | array | Links to vulnerability details |
Confidence Levels
| Level | Description |
|---|---|
high | Exact package name match + version confirmed |
medium | Fuzzy name match or partial version info |
low | Possible match, manual verification recommended |
Examples
Basic Match
bash
curl "https://api.vulnpatch.dev/api/v1/vulns/openssl"Match with Version
bash
curl "https://api.vulnpatch.dev/api/v1/vulns/openssl?version=3.0.11"Code Examples
javascript
async function checkVulnerabilities(packageName, version = null) {
let url = `https://api.vulnpatch.dev/api/v1/vulns/${packageName}`;
if (version) {
url += `?version=${version}`;
}
const response = await fetch(url);
const { data } = await response.json();
console.log(`Package: ${data.package}`);
// Filter by confidence
const highConfidence = data.matches.filter(m => m.confidence === 'high');
console.log(`High confidence matches: ${highConfidence.length}`);
for (const match of highConfidence) {
console.log(`- ${match.cve} (${match.severity}): ${match.title}`);
if (match.fixedIn) {
console.log(` Fixed in: ${match.fixedIn}`);
}
}
}python
import requests
def check_vulnerabilities(package_name, version=None):
params = {}
if version:
params['version'] = version
response = requests.get(
f'https://api.vulnpatch.dev/api/v1/vulns/{package_name}',
params=params
)
data = response.json()['data']
print(f"Package: {data['package']}")
# Filter by confidence
high_confidence = [m for m in data['matches'] if m['confidence'] == 'high']
print(f"High confidence matches: {len(high_confidence)}")
for match in high_confidence:
print(f"- {match['cve']} ({match['severity']}): {match['title']}")
if match.get('fixedIn'):
print(f" Fixed in: {match['fixedIn']}")Matching Algorithm
The /vulns endpoint uses a sophisticated matching algorithm:
- Direct Match: Exact package name lookup in tracked issues
- Fuzzy Match: Handles naming variations (e.g.,
python3→python) - OSV Enrichment: Supplements with OSV data across ecosystems
- Version Analysis: Confirms if the specified version is affected
See Vulnerability Matching for detailed algorithm explanation.
Use Cases
- CI/CD Integration: Check dependencies before deployment
- Security Audits: Identify vulnerable packages in your stack
- Upgrade Planning: Find which versions fix known vulnerabilities
Differences from /osv
| Feature | /osv/:package | /vulns/:package |
|---|---|---|
| Data sources | OSV.dev only | Multiple sources |
| Confidence scores | No | Yes |
| CVE correlation | Basic | Advanced |
| Nix-specific matching | No | Yes |
| Response format | Raw OSV data | Enriched matches |
Caching
This endpoint is cached for 15 minutes. The X-Cache header indicates cache status.