# vunnel
A tool for fetching, transforming, and storing vulnerability data from a variety of sources.
Supported data sources:
- Alpine (https://secdb.alpinelinux.org)
- Amazon (https://alas.aws.amazon.com/AL2/alas.rss & https://alas.aws.amazon.com/AL2022/alas.rss)
- Debian (https://security-tracker.debian.org/tracker/data/json & https://salsa.debian.org/security-tracker-team/security-tracker/raw/master/data/DSA/list)
- GitHub Security Advisories (https://api.github.com/graphql)
- NVD (https://services.nvd.nist.gov/rest/json/cves/2.0)
- Oracle (https://linux.oracle.com/security/oval)
- RedHat (https://www.redhat.com/security/data/oval)
- SLES (https://ftp.suse.com/pub/projects/security/oval)
- Ubuntu (https://launchpad.net/ubuntu-cve-tracker)
- Wolfi (https://packages.wolfi.dev)
## Installation
With pip:
```bash
pip install vunnel
```
With docker:
```bash
docker run \
--rm -it \
-v $(pwd)/data:/data \
-v $(pwd)/.vunnel.yaml:/.vunnel.yaml \
ghcr.io/anchore/vunnel:latest \
run nvd
```
Where:
- the `data` volume keeps the processed data on the host
- the `.vunnel.yaml` uses the host application config (if present)
- you can swap `latest` for a specific version (same as the git tags)
See [the vunnel package](https://github.com/anchore/vunnel/pkgs/container/vunnel) for a full listing of available tags.
## Getting Started
List the available vulnerability data providers:
```
$ vunnel list
alpine
amazon
chainguard
debian
github
mariner
nvd
oracle
rhel
sles
ubuntu
wolfi
```
Download and process a provider:
```
$ vunnel run wolfi
2023-01-04 13:42:58 root [INFO] running wolfi provider
2023-01-04 13:42:58 wolfi [INFO] downloading Wolfi secdb https://packages.wolfi.dev/os/security.json
2023-01-04 13:42:59 wolfi [INFO] wrote 56 entries
2023-01-04 13:42:59 wolfi [INFO] recording workspace state
```
You will see the processed vulnerability data in the local `./data` directory
```
$ tree data
data
└── wolfi
├── checksums
├── metadata.json
├── input
│ └── secdb
│ └── os
│ └── security.json
└── results
└── wolfi:rolling
├── CVE-2016-2781.json
├── CVE-2017-8806.json
├── CVE-2018-1000156.json
└── ...
```
*Note: to get more verbose output, use `-v`, `-vv`, or `-vvv` (e.g. `vunnel -vv run wolfi`)*
Delete existing input and result data for one or more providers:
```
$ vunnel clear wolfi
2023-01-04 13:48:31 root [INFO] clearing wolfi provider state
```
Example config file for changing application behavior:
```yaml
# .vunnel.yaml
root: ./processed-data
log:
level: trace
providers:
wolfi:
request_timeout: 125
runtime:
existing_input: keep
existing_results: delete-before-write
on_error:
action: fail
input: keep
results: keep
retry_count: 3
retry_delay: 10
```
Use `vunnel config` to get a better idea of all of the possible configuration options.
## FAQ
### Can I implement a new provider?
Yes you can! See [the provider docs](https://github.com/anchore/vunnel/blob/main/DEVELOPING.md#adding-a-new-provider) for more information.
### Why is it called "vunnel"?
This tool "funnels" vulnerability data into a single spot for easy processing... say "vulnerability data funnel" 100x fast enough and eventually it'll slur to "vunnel" :).
Raw data
{
"_id": null,
"home_page": "https://github.com/anchore/vunnel",
"name": "vunnel",
"maintainer": null,
"docs_url": null,
"requires_python": "<4.0,>=3.9",
"maintainer_email": null,
"keywords": "vulnerability, data, aggregator, grype, vulnerability-data",
"author": "Alex Goodman",
"author_email": "alex.goodman@anchore.com",
"download_url": "https://files.pythonhosted.org/packages/a0/28/cd9eff639860bc6c748b152320d6ffd10ccf0fdb5dbdcc86459d8dac600b/vunnel-0.22.2.tar.gz",
"platform": null,
"description": "# vunnel\n\nA tool for fetching, transforming, and storing vulnerability data from a variety of sources.\n\n\n\nSupported data sources:\n- Alpine (https://secdb.alpinelinux.org)\n- Amazon (https://alas.aws.amazon.com/AL2/alas.rss & https://alas.aws.amazon.com/AL2022/alas.rss)\n- Debian (https://security-tracker.debian.org/tracker/data/json & https://salsa.debian.org/security-tracker-team/security-tracker/raw/master/data/DSA/list)\n- GitHub Security Advisories (https://api.github.com/graphql)\n- NVD (https://services.nvd.nist.gov/rest/json/cves/2.0)\n- Oracle (https://linux.oracle.com/security/oval)\n- RedHat (https://www.redhat.com/security/data/oval)\n- SLES (https://ftp.suse.com/pub/projects/security/oval)\n- Ubuntu (https://launchpad.net/ubuntu-cve-tracker)\n- Wolfi (https://packages.wolfi.dev)\n\n\n## Installation\n\nWith pip:\n\n```bash\npip install vunnel\n```\n\nWith docker:\n\n```bash\ndocker run \\\n --rm -it \\\n -v $(pwd)/data:/data \\\n -v $(pwd)/.vunnel.yaml:/.vunnel.yaml \\\n ghcr.io/anchore/vunnel:latest \\\n run nvd\n```\nWhere:\n - the `data` volume keeps the processed data on the host\n - the `.vunnel.yaml` uses the host application config (if present)\n - you can swap `latest` for a specific version (same as the git tags)\n\nSee [the vunnel package](https://github.com/anchore/vunnel/pkgs/container/vunnel) for a full listing of available tags.\n\n\n## Getting Started\n\nList the available vulnerability data providers:\n\n```\n$ vunnel list\n\nalpine\namazon\nchainguard\ndebian\ngithub\nmariner\nnvd\noracle\nrhel\nsles\nubuntu\nwolfi\n```\n\nDownload and process a provider:\n\n```\n$ vunnel run wolfi\n\n2023-01-04 13:42:58 root [INFO] running wolfi provider\n2023-01-04 13:42:58 wolfi [INFO] downloading Wolfi secdb https://packages.wolfi.dev/os/security.json\n2023-01-04 13:42:59 wolfi [INFO] wrote 56 entries\n2023-01-04 13:42:59 wolfi [INFO] recording workspace state\n```\n\nYou will see the processed vulnerability data in the local `./data` directory\n\n```\n$ tree data\n\ndata\n\u2514\u2500\u2500 wolfi\n \u251c\u2500\u2500 checksums\n \u251c\u2500\u2500 metadata.json\n \u251c\u2500\u2500 input\n \u2502 \u2514\u2500\u2500 secdb\n \u2502 \u2514\u2500\u2500 os\n \u2502 \u2514\u2500\u2500 security.json\n \u2514\u2500\u2500 results\n \u2514\u2500\u2500 wolfi:rolling\n \u251c\u2500\u2500 CVE-2016-2781.json\n \u251c\u2500\u2500 CVE-2017-8806.json\n \u251c\u2500\u2500 CVE-2018-1000156.json\n \u2514\u2500\u2500 ...\n```\n\n*Note: to get more verbose output, use `-v`, `-vv`, or `-vvv` (e.g. `vunnel -vv run wolfi`)*\n\nDelete existing input and result data for one or more providers:\n\n```\n$ vunnel clear wolfi\n\n2023-01-04 13:48:31 root [INFO] clearing wolfi provider state\n```\n\nExample config file for changing application behavior:\n\n```yaml\n# .vunnel.yaml\nroot: ./processed-data\n\nlog:\n level: trace\n\nproviders:\n wolfi:\n request_timeout: 125\n runtime:\n existing_input: keep\n existing_results: delete-before-write\n on_error:\n action: fail\n input: keep\n results: keep\n retry_count: 3\n retry_delay: 10\n\n```\n\nUse `vunnel config` to get a better idea of all of the possible configuration options.\n\n\n## FAQ\n\n\n### Can I implement a new provider?\n\nYes you can! See [the provider docs](https://github.com/anchore/vunnel/blob/main/DEVELOPING.md#adding-a-new-provider) for more information.\n\n\n### Why is it called \"vunnel\"?\n\nThis tool \"funnels\" vulnerability data into a single spot for easy processing... say \"vulnerability data funnel\" 100x fast enough and eventually it'll slur to \"vunnel\" :).\n",
"bugtrack_url": null,
"license": "Apache-2.0",
"summary": "vunnel ~= 'vulnerability data funnel'",
"version": "0.22.2",
"project_urls": {
"Homepage": "https://github.com/anchore/vunnel",
"Repository": "https://github.com/anchore/vunnel"
},
"split_keywords": [
"vulnerability",
" data",
" aggregator",
" grype",
" vulnerability-data"
],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "1c14ac9410715abb462cecb796325921feaec00a0a09dd751c8c7a1ccf6dab61",
"md5": "2229e306fee246ecc209bb721dddbc7b",
"sha256": "6663a679e887b7e6a27d1acff88240aac15ffc53db84278052abb2ab651b87a9"
},
"downloads": -1,
"filename": "vunnel-0.22.2-py3-none-any.whl",
"has_sig": false,
"md5_digest": "2229e306fee246ecc209bb721dddbc7b",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": "<4.0,>=3.9",
"size": 123222,
"upload_time": "2024-05-02T14:20:07",
"upload_time_iso_8601": "2024-05-02T14:20:07.877332Z",
"url": "https://files.pythonhosted.org/packages/1c/14/ac9410715abb462cecb796325921feaec00a0a09dd751c8c7a1ccf6dab61/vunnel-0.22.2-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": "",
"digests": {
"blake2b_256": "a028cd9eff639860bc6c748b152320d6ffd10ccf0fdb5dbdcc86459d8dac600b",
"md5": "b5bd7c6dcc01fdbbe54691c2dcf4a8da",
"sha256": "1ce0357e2c54c2e508470fdc5fab3b8364ac0520ad46523e0885f08a0d75e1de"
},
"downloads": -1,
"filename": "vunnel-0.22.2.tar.gz",
"has_sig": false,
"md5_digest": "b5bd7c6dcc01fdbbe54691c2dcf4a8da",
"packagetype": "sdist",
"python_version": "source",
"requires_python": "<4.0,>=3.9",
"size": 100107,
"upload_time": "2024-05-02T14:20:09",
"upload_time_iso_8601": "2024-05-02T14:20:09.889789Z",
"url": "https://files.pythonhosted.org/packages/a0/28/cd9eff639860bc6c748b152320d6ffd10ccf0fdb5dbdcc86459d8dac600b/vunnel-0.22.2.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2024-05-02 14:20:09",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "anchore",
"github_project": "vunnel",
"travis_ci": false,
"coveralls": false,
"github_actions": true,
"tox": true,
"lcname": "vunnel"
}
JSON
