Expand description
§Vulnera Advisors
A Rust library for aggregating and querying security vulnerability advisories from multiple sources including GitHub Security Advisories (GHSA), NIST NVD, and Google OSV.
§Features
- Multi-source aggregation: Fetch from GHSA, NVD, OSV, CISA KEV, and OSS Index
- Unified data model: All sources are normalized to a common Advisory format
- Enrichment: EPSS scores and KEV status for prioritization
- Efficient storage: Redis/DragonflyDB with zstd compression
- Flexible matching: SemVer and ecosystem-specific version matching
§Quick Start
ⓘ
use vulnera_advisors::{VulnerabilityManager, Config};
#[tokio::main]
async fn main() -> Result<(), Box<dyn std::error::Error>> {
// Load config from environment
let config = Config::from_env()?;
let manager = VulnerabilityManager::new(config).await?;
// Sync advisories from all sources
manager.sync_all().await?;
// Query vulnerabilities for a package
let advisories = manager.query("npm", "lodash").await?;
// Check if a specific version is affected
let affected = manager.matches("npm", "lodash", "4.17.20").await?;
Ok(())
}§Builder Pattern
For more control over configuration:
ⓘ
use vulnera_advisors::VulnerabilityManager;
let manager = VulnerabilityManager::builder()
.redis_url("redis://localhost:6379")
.with_osv_defaults()
.with_nvd(Some("your-api-key".to_string()))
.with_ghsa("your-github-token".to_string())
.build()?;Re-exports§
pub use config::Config;pub use config::NvdConfig;pub use config::OssIndexConfig;pub use config::StoreConfig;pub use error::AdvisoryError;pub use error::Result;pub use manager::MatchOptions;pub use manager::PackageKey;pub use manager::VulnerabilityManager;pub use manager::VulnerabilityManagerBuilder;pub use models::Advisory;pub use models::Affected;pub use models::Enrichment;pub use models::Event;pub use models::Package;pub use models::Range;pub use models::RangeType;pub use models::Reference;pub use models::ReferenceType;pub use models::Severity;pub use store::AdvisoryStore;pub use store::DragonflyStore;pub use store::EnrichmentData;pub use store::HealthStatus;pub use store::OssIndexCache;pub use remediation::Remediation;pub use remediation::UpgradeImpact;pub use remediation::build_remediation;pub use remediation::classify_upgrade_impact;pub use version_registry::PackageRegistry;pub use version_registry::VersionRegistry;pub use purl::KNOWN_ECOSYSTEMS;pub use purl::Purl;pub use purl::PurlError;pub use purl::purl;pub use purl::purls_from_packages;pub use purl::purls_to_strings;pub use sources::AdvisorySource;pub use sources::epss::EpssScore;pub use sources::epss::EpssSource;pub use sources::ghsa::GHSASource;pub use sources::kev::KevEntry;pub use sources::kev::KevSource;pub use sources::nvd::NVDSource;pub use sources::ossindex::ComponentReport;pub use sources::ossindex::OssIndexSource;pub use sources::ossindex::OssVulnerability;pub use sources::osv::OSVSource;
Modules§
- aggregator
- Advisory aggregation and deduplication.
- config
- Configuration types for the vulnera-advisors crate.
- error
- Error types for the vulnera-advisors crate.
- logging
- Logging configuration and initialization.
- manager
- Vulnerability manager for orchestrating syncs and queries.
- models
- Core data models for vulnerability advisories.
- purl
- Package URL (PURL) builder and parser.
- remediation
- Safe version remediation analysis.
- sources
- Vulnerability data sources.
- store
- Storage backends for advisory data.
- version_
registry - Package version registry for fetching available versions from package managers.