Vulnerability Feeds
Sysdig Vulnerability Management Data Sources and Feeds
Sysdig Secure continuously checks against a wide range of vulnerability databases. The current database list includes:
- NIST NVD
- VulnDB
- NPM
- Python
- Ruby
- Alpine Linux
- Centos
- Debian
- Red Hat
- Red Hat EUS
- Rocky ERRATA
- Ubuntu
- Amazon Linux
- Alibaba Linux
- Oracle Linux
- Chainguard
- Wolfi
- Amazon BottleRocket
- PHP Advisory
- Go Vulnerability Database
- GitHub Advisories
- GitLab Advisories
- First.org EPSS
- Alma Linux
- SUSE
- Azure Linux
- Gentoo GLSA
- PhotonOS
Vulnerability Feed Synchronization Interval
Sysdig aims to sync vulnerability feeds at least once per day. In general, feeds are synchronized every 8 hours to maintain up-to-date vulnerability data.
Individual feeds may experience synchronization issues, prompting manual synchronizations. As a result, the precise timing for synchronization of specific feeds may vary slightly.
Supported Operating Systems
Non-OS-Based Sources and Supported Package Types
Non‑OS‑Based Sources | Matched Package Types | Source | CVSS Score | Severity | Fix Date | Publish Date | Disclosure Date |
---|---|---|---|---|---|---|---|
NPM (JavaScript) | NPM (JavaScript) | NPM | NVD | NVD | VulnDB | NPM | NPM |
Python (Pypi) | Python | Python Advisory > GitHub > GitLab | NVD | NVD | VulnDB | Python Advisory | Python Advisory |
Ruby | Ruby Gems | GitHub > GitLab > Ruby Advisory | NVD | NVD | VulnDB | GitHub | GitHub |
Rust | Cargo (Rust) | GitHub | NVD | NVD | VulnDB | GitHub | GitHub |
Go | Golang (built with Go 1.13+) Go Runtime | GitHub > GitLab > Go Vulnerability Database | NVD | NVD | VulnDB | GitHub | GitHub |
Java | Java JAR WAR EAR | GitHub > GitLab | NVD | NVD | VulnDB | GitHub | GitHub |
PHP | Composer (PHP) | PHP Advisory > GitHub > GitLab | NVD | NVD | VulnDB | PHP Advisory | PHP Advisory |
C# | NuGet (.Net) | GitHub | NVD | NVD | VulnDB | GitHub | GitHub |
Column Legend
Column | Description |
---|---|
Source | The specific database or advisory where Sysdig matches vulnerabilities, whether it’s from a vendor, an operating system, or a non‑OS package. |
Matched Package Types / Versions | The programming languages or operating system versions that are scanned for vulnerabilities, matched against specific sources. For packages, it indicates supported types, and for OS, the supported versions. |
CVSS Score | The primary vulnerability score, such as NVD, displayed in the UX or reports. Additional scores from vendor-specific sources may also be available. |
Severity | The primary severity level derived from the score, shown in the UX or reports. Vendor-specific severities may also be displayed where applicable. |
Fix Date | For OS-based sources, this field indicates the scheduled remediation date determined by a hierarchy: Vendor Fix Date > NVD Fix Date > VulnDB Fix Date. For non‑OS‑based sources—where a dedicated fix date isn’t provided—this field is marked as N/A. |
Publish Date | The date the vulnerability was published, sourced directly from the vendor’s security feed. |
Disclosure Date | The date the vulnerability was publicly disclosed, also sourced directly from the vendor’s security feed. |
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.