Skip to content

Common questions and explanations

Vulners database and API have many different options to automate vulnerability management tasks. In this section, we add typical issues and deal with the most frequent questions from our users.

I cannot find information in the Vulners database for the software I am using. How do I search correctly?

When searching for vulnerabilities in proprietary software (non-standard firmware or etc.) you should check its actual name.

For example, "Acme Packet Net-Net 4500 SCZ7.4.0 MR-2 Patch 3 (Build 503)" will not have any links in the Vulners database:"Acme Packet"
But if you use its actual name Oracle Communications Session Border Controller the necessary data will be found:"Oracle Communications Session Border Controller"

It is recommended to use the canonical names available at like CPE identifiers. Next, apply the call described in our documentation

How do I download the collection and work with it locally? Vulners has 2 methods distributive and collection, what is the difference between them and which one to use?

Please use the archive. The distributive method was made for integration tasks. Both of them return the same data, but distributive gives trimmed collection according to OSVersion criterion. Archive will give it back in full.

What Linux do you support?

You can check the current list here in the UNIX section.

From time to time, specified list expands and if your distro is missing, we can expand our collection as needed.

Why can't some CVEs be found via api? Why aren't they in distributive?

distributive returns an OSVersion truncated collection to unix scanning. For example, ubuntu. It will not include documents from the CVE collection.

I need to audit Linux, but I can't figure out how the vulnerabilities and my distributions are related. What data should you use in your api?

In the Vulners database, there are the concepts of "vulnerability" and "vendor advisory", which must be separated.

For example CVE-2013-4235 and its json view. In this case there will be 2 key fields needed to check applicability: affectedSoftware and cpeConfiguration:

  • affectedSoftware is a simplified description of applicability. Logical OR, and if at least one condition is met, the vulnerability is applicable.
  • cpeConfiguration is a logical tree and, or, not, gives the most accurate description of applicability.

When talking about OS vulnerabilities, raw CVEs are not used, but the vendor's advisory is applied:

Sample document in JSON:

The key field in it is affectedPackage, which is a logical OR and describes the applicability of the vulnerability in the next format:

    "OS": "Ubuntu",
    "OSVersion": "20.04",
    "arch": "noarch",
    "operator": "lt",
    "packageFilename": "UNKNOWN",
    "packageName": "libshibsp-plugins",
    "packageVersion": "3.0.4+dfsg1-1ubuntu0.1"

For scanning Linux distributions, it is necessary to use just such documents.

If you have checked the described questions but have not found a solution, write to us through the contacts. We will advise you on how you can use the capabilities of Vulners to solve your tasks.

Team contacts

Back to top