This is the vulnerability database used by Snyk, a tool that helps you find and fix known vulnerabilities in your Node.js dependencies, both ad hoc and as part of your CI (Build) system.
Note: Snyk is currently in beta. Email us your feedback.
Under the data/npm folder you will find a list of folders that match the names of vulnerable npm packages, then a YYYYMMDD folder containing the data files.
For example, the latest Denial of Service vulnerability in the ms package will have the following path npm/ms/20151024/.
data/
npm/
bassmaster/
20140927/
README.md
data.json
bussmaster_vuln_fix.patch
jsonwebtoken/
20150331/
README.md
data.json
20150304/
README.md
data.json
The data.json file contains the actual information about the vulnerability. It can optionally reference other files, like the vulnerability description (README.md) or patch files located in the same folder.
Key attributes of the vulnerability data file: (full schema)
title: title of the vulnerabilitycredit: list of credited reportersdescription: vulnerability description. Can reference an external file, i.e.file://README.mdsemvervulnerable: vulnerable versions semver range
CVSSv3: CVSS v3 scoreseverity: severity of the vulnerabilityidentifierspatchesurls: list of patch files or urls. Can point to a local filefile://fix.patchor file url (i.e.https://githib.com/author/repo/commit/hash.patch)version: applicable versions semver range
Unified GNU diff formatted patch files are used to make the minimal modifications required to fix the vulnerability.
See CONTRIBUTING
We’d like to credit the Node Security Project, RetireJS and Open Source Vulnerability Database for tracking and documenting many of these vulnerabilities. This allowed the Snyk research team to focus more on fixing the issues, providing smart upgrade advice and writing code patches.