OS
| OS | Source |
|---|---|
| Arch Linux | Vulnerable Issues |
| Alpine Linux | secdb |
| Wolfi Linux | secdb |
| Amazon Linux | Amazon Linux Security Center |
| Debian | Security Bug Tracker |
| OVAL | |
| Ubuntu | Ubuntu CVE Tracker |
| RHEL/CentOS | OVAL |
| Security Data | |
| AlmaLinux | AlmaLinux Product Errata |
| Rocky Linux | Rocky Linux UpdateInfo |
| Oracle Linux | OVAL |
| CBL-Mariner | OVAL |
| OpenSUSE/SLES | CVRF |
| Photon OS | Photon Security Advisory |
Programming Language
| Language | Source | Commercial Use | Delay1 |
|---|---|---|---|
| PHP | PHP Security Advisories Database | ✅ | - |
| GitHub Advisory Database (Composer) | ✅ | - | |
| Python | GitHub Advisory Database (pip) | ✅ | - |
| Open Source Vulnerabilities (PyPI) | ✅ | - | |
| Ruby | Ruby Advisory Database | ✅ | - |
| GitHub Advisory Database (RubyGems) | ✅ | - | |
| Node.js | Ecosystem Security Working Group | ✅ | - |
| GitHub Advisory Database (npm) | ✅ | - | |
| Java | GitLab Advisories Community | ✅ | 1 month |
| GitHub Advisory Database (Maven) | ✅ | - | |
| Go | GitLab Advisories Community | ✅ | 1 month |
| The Go Vulnerability Database | ✅ | - | |
| Rust | Open Source Vulnerabilities (crates.io) | ✅ | - |
| .NET | GitHub Advisory Database (NuGet) | ✅ | - |
| C/C++ | GitLab Advisories Community | ✅ | 1 month |
| Dart | GitHub Advisory Database (Pub) | ✅ | - |
| Elixir | GitHub Advisory Database (Erlang) | ✅ |
Others
| Name | Source |
|---|---|
| National Vulnerability Database | NVD |
Data source selection
Trivy only consumes security advisories from the sources listed in the following tables.
As for packages installed from OS package managers (dpkg, yum, apk, etc.), Trivy uses the advisory database from the appropriate OS vendor.
For example: for a python package installed from yum (Amazon linux), Trivy will only get advisories from [ALAS][amazon2]. But for a python package installed from another source (e.g. pip), Trivy will get advisories from the GitLab and GitHub databases.
This advisory selection is essential to avoid getting false positives because OS vendors usually backport upstream fixes, and the fixed version can be different from the upstream fixed version. The severity is from the selected data source. If the data source does not provide severity, it falls back to NVD, and if NVD does not have severity, it will be UNKNOWN.
-
Intentional delay between vulnerability disclosure and registration in the DB ↩