Data Sources
Vulnpatch aggregates security data from multiple authoritative sources to provide comprehensive vulnerability information.
Primary Sources
Nixpkgs Security Tracker
The primary source for tracked CVE issues is the nixpkgs-security-tracker, which automatically creates GitHub issues for CVEs affecting Nix packages.
Data provided:
- CVE identifiers
- Affected packages
- Severity levels (critical, high, medium, low)
- Fix availability status
- Assignment status
OSV.dev
OSV (Open Source Vulnerabilities) is Google's distributed vulnerability database for open source software.
Data provided:
- Vulnerability details across 38+ ecosystems
- Affected version ranges
- References and advisories
- Severity scores
Repology
Repology tracks package versions across hundreds of repositories.
Data provided:
- Current package versions
- Version history
- Cross-repository comparisons
- Upstream release information
Secondary Sources
CVE Database
The CVE Project provides the authoritative CVE identifier assignments.
GitHub Advisories
GitHub Security Advisories provides vulnerability information for packages hosted on GitHub.
NVD (National Vulnerability Database)
NVD provides additional analysis and CVSS scores for CVEs.
Data Freshness
| Source | Update Frequency |
|---|---|
| Nixpkgs Tracker | Real-time (GitHub webhooks) |
| OSV.dev | Hourly |
| Repology | Hourly |
| NVD | Daily |
Data Quality
Vulnpatch applies several quality measures:
- Deduplication: CVEs appearing in multiple sources are merged
- Severity normalization: CVSS scores are normalized to critical/high/medium/low
- Version matching: Affected versions are validated against Repology data
- Confidence scoring: Matches include confidence levels based on data quality