Links

Snyk Vulnerability Database

Introduction

The Snyk Vulnerability Database contains a comprehensive list of known security vulnerabilities. This provides the key security information used by Snyk products to find and fix code vulnerabilities.
You can inspect the database at https://security.snyk.io/, or you can incorporate database information into your own systems.
This database is separate from standards bodies’ databases, as Snyk is recognized as an official authority on security.

About the Vulnerability Database

Snyk security team

We have a group of experts, the Snyk security team, who are dedicated to finding new vulnerabilities, and we have contributed a bunch of discoveries to authorities such as CVE.
Snyk’s security team maintains the database, to ensure the database maintains high accuracy and eliminates false positives
This work includes curating vulnerabilities found or reported elsewhere on the web, as well as doing our own research to uncover previously unknown vulnerabilities, which we then responsibly disclose. Snyk Enterprise users receive early notifications for issues our research uncovers alongside this responsible disclosure process.
  • All items in the database are analyzed and verified.
  • The team also invests in proprietary research to discover new vulnerabilities. See the Snyk disclosed vulnerability list.

Vulnerability sources

Most of the vulnerabilities in our database originate from one of these sources:
  1. 1.
    Monitoring other vulnerability databases, such as CVEs from NVD and many others.
  2. 2.
    Monitoring user activity on GitHub, including issues, PRs and commit messages that may indicate a vulnerability.
  3. 3.
    Bulk research, using tools that look for repeated security mistakes across open source package code
  4. 4.
    Manual research, investing our researchers time to manually audit more widely used packages for security flaws.
For every issue deemed to be a real vulnerability, we assign the correct CVSS (severity) score and package version specification, create an advisory, and make this issue available to Snyk products for your use.

Incorporating the Vulnerability Database into your systems

Incorporating information into your own systems may be useful for customers who already have their own security products; you can benefit from Snyk’s expertise and accumulated knowledge with access to this database. This gives your development teams access to trusted intelligence, allowing them to rapidly secure open source and container code.

Feeds

The Snyk Vulnerability Database includes two feeds:
Both feed options can be licensed directly.

Incorporation: process overview

Typically:
  1. 1.
    Snyk helps you to set an integration up for your company, providing documentation with instructions for access.
  2. 2.
    Snyk sends you database information, typically as a JSON file (see sample code) Note: It is recommends that you save the file in a database.
  3. 3.
    You can now write code to use the database information in your systems.
© 2023 Snyk Limited | All product and company names and logos are trademarks of their respective owners.