Vulnerability Matching

Vulnpatch uses sophisticated algorithms to match CVEs with package derivations across ecosystems. This page explains how the matching process works.

The Challenge

CVE databases and package repositories use different naming conventions:

CVE Source	Package Name
CVE-2024-XXXX	`curl`
GitHub Advisory	`curl/curl`
OSV	`libcurl4` (Debian)
Nixpkgs	`curlFull`, `curl-minimal`

Vulnpatch bridges these naming gaps to provide accurate vulnerability matches.

Matching Algorithm

Step 1: Direct Name Match

First, we try exact package name matches:

Input: "openssl"
→ Match: "openssl" (100% confidence)

Step 2: Prefix/Suffix Analysis

We check for common package naming patterns:

Input: "python3-urllib3"
→ Base package: "urllib3"
→ Ecosystem hint: "python"

Step 3: Alias Resolution

We resolve known package aliases:

Input: "libssl"
→ Alias: "openssl" (Debian naming)

Step 4: Version Correlation

We verify matches by checking version compatibility:

CVE affects: openssl < 3.0.12
Package version: 3.0.11
→ Confirmed vulnerable

Confidence Scores

Each match includes a confidence score:

Score	Meaning
`high`	Exact name match + version confirmed
`medium`	Fuzzy name match or partial version info
`low`	Possible match, manual verification recommended

API Response

The /api/v1/vulns/:package endpoint returns matches with confidence:

json

{
  "success": true,
  "data": {
    "package": "curl",
    "matches": [
      {
        "cve": "CVE-2024-0853",
        "confidence": "high",
        "affectedVersions": "< 8.5.0",
        "fixAvailable": true
      }
    ]
  }
}

Improving Match Quality

Provide Ecosystem Hints

bash

# More precise results with ecosystem parameter
curl "https://api.vulnpatch.dev/api/v1/osv/requests?ecosystem=PyPI"

Include Version Information

bash

# Version-aware matching
curl "https://api.vulnpatch.dev/api/v1/vulns/openssl?version=3.0.11"

False Positives

Some false positives are expected. Common causes:

Name collisions: Different packages with the same name in different ecosystems
Stale data: CVE databases may lag behind actual fixes
Transitive dependencies: Vulnerability in a dependency, not the main package

Always verify critical findings manually using the provided CVE references.

Vulnerability Matching ​

The Challenge ​

Matching Algorithm ​

Step 1: Direct Name Match ​

Step 2: Prefix/Suffix Analysis ​

Step 3: Alias Resolution ​

Step 4: Version Correlation ​

Confidence Scores ​

API Response ​

Improving Match Quality ​

Provide Ecosystem Hints ​

Include Version Information ​

False Positives ​