Skip to content

OS

OS Source
Arch Linux Vulnerable Issues
Alpine Linux secdb
Wolfi Linux secdb
Chainguard secdb
Amazon Linux Amazon Linux Security Center
Debian Security Bug Tracker
OVAL
Ubuntu Ubuntu CVE Tracker
RHEL/CentOS OVAL
Security Data
AlmaLinux AlmaLinux Product Errata
Rocky Linux Rocky Linux UpdateInfo
Oracle Linux OVAL
CBL-Mariner OVAL
OpenSUSE/SLES CVRF
Photon OS Photon Security Advisory

Programming Language

Language Source Commercial Use Delay1
PHP PHP Security Advisories Database -
GitHub Advisory Database (Composer) -
Python GitHub Advisory Database (pip) -
Open Source Vulnerabilities (PyPI) -
Ruby Ruby Advisory Database -
GitHub Advisory Database (RubyGems) -
Node.js Ecosystem Security Working Group -
GitHub Advisory Database (npm) -
Java GitLab Advisories Community 1 month
GitHub Advisory Database (Maven) -
Go GitLab Advisories Community 1 month
The Go Vulnerability Database -
Rust Open Source Vulnerabilities (crates.io) -
.NET GitHub Advisory Database (NuGet) -
C/C++ GitLab Advisories Community 1 month
Dart GitHub Advisory Database (Pub) -
Elixir GitHub Advisory Database (Erlang)

Others

Name Source
National Vulnerability Database NVD

Data source selection

Trivy only consumes security advisories from the sources listed in the following tables.

As for packages installed from OS package managers (dpkg, yum, apk, etc.), Trivy uses the advisory database from the appropriate OS vendor.

For example: for a python package installed from yum (Amazon linux), Trivy will only get advisories from [ALAS][amazon2]. But for a python package installed from another source (e.g. pip), Trivy will get advisories from the GitLab and GitHub databases.

This advisory selection is essential to avoid getting false positives because OS vendors usually backport upstream fixes, and the fixed version can be different from the upstream fixed version. The severity is from the selected data source. If the data source does not provide severity, it falls back to NVD, and if NVD does not have severity, it will be UNKNOWN.


  1. Intentional delay between vulnerability disclosure and registration in the DB