Skip to content

Common questions

Vulners database and API have many different options to automate vulnerability management tasks. In this section, we address typical issues and deal with the most frequent question from our users.

I cannot find the information for the software I am using. How do I search the Vulners database correctly?

When searching for vulnerabilities in proprietary software (non-standard firmware or etc.) you should check its actual name.

For example, "Acme Packet Net-Net 4500 SCZ7.4.0 MR-2 Patch 3 (Build 503)" will not yield any results in the Vulners database:"Acme Packet"
But if you use its actual name Oracle Communications Session Border Controller, you will find the necessary data:"Oracle Communications Session Border Controller"

It is recommended to use the canonical names available at like CPE identifiers. Next, apply the call described in our documentation.

How do I download the collection and work with it locally? Vulners has 2 methods distributive and collection, what is the difference between the two, and which one should I use?

Please use the archive. The distributive method was made for integration purposes. Both of them return the same data, but distributive method yields a trimmed collection according to OSVersion criterion. Archive will return the data in full.

Which Linux distributions do you support?

You can check the current list here in the UNIX section.

Occasionally, the specified list expands, and if your distro is missing, we can expand our database as needed.

Why are some CVEs not found via API? Why are they missing in distributive?

distributive returns an OSVersion truncated collection to Unix scanning. For example, Ubuntu will not include documents from the CVE collection.

I need to audit Linux, but I cannot figure out how the vulnerabilities and my distributions are related. What data should I use in the API?

The Vulners database relies on the concepts of "vulnerability" and "vendor advisory", which must be separated.

For example, CVE-2013-4235 and its JSON view. In this case, there are 2 key fields needed for checking applicability — affectedSoftware and cpeConfiguration:

  • affectedSoftware is a simplified description of applicability. Logical OR, and, if at least one condition is met, the vulnerability is applicable.
  • cpeConfiguration is a logical tree and, or, not, gives the most accurate description of applicability.

When talking about OS vulnerabilities, raw CVEs are not used, but the vendor's advisory is applied:

Sample document in JSON:

The key field here is affectedPackage, which is a logical OR and describes the applicability of the vulnerability in the following format:

    "OS": "Ubuntu",
    "OSVersion": "20.04",
    "arch": "noarch",
    "operator": "lt",
    "packageFilename": "UNKNOWN",
    "packageName": "libshibsp-plugins",
    "packageVersion": "3.0.4+dfsg1-1ubuntu0.1"

To scan Linux distributions, use only such documents.

If you have not found the answer you were looking for in the above list of questions, contact us by clicking below. We will advise you on the Vulners capabilities and help you solve your tasks.

Team contacts

Back to top