Airbnb's information security team wrote about their internal security vulnerability reporting tool called Vulnture. It utilizes the CVE, NVD and other vendor databases and scans infrastructure and the software stack for discovered vulnerabilities.
The Common Vulnerabilities and Exposures (CVE) list was started in 1999, and the National Vulnerability Database (NVD) six years later in 2005. The NVD uses the data in CVE and enhances the information, and provides additional search features. Software vendor sites also publish their own vulnerability feeds which may or may not end up these two databases. To utilize this data well, there has to be a record of infrastructure assets (operating system versions, hardware, applications, libraries, open source software) to match against. A reporting tool also needs to be able to query this inventory easily and correlate the items against the combined list of vulnerabilities. Vulnture was built to connect these dots.
Written in Python, Vulnture pulls inventory data from Amazon DynamoDB, although it’s unclear how the database is populated. Vulnture does not store any state, and runs as an AWS Lambda function. Alongwith NVD and CVE, it queries Cisco Security Advisories. Vulnture can send email notifications for discovered vulnerabilities.
The number of reported open source vulnerabilities rose to nearly 6000 in 2019, according to a report by WhiteSource, compared to 4000 the previous year. A 2020 Linux Foundation report noted that "legacy open source is pervasive in commercial solutions".
Each CVE entry has a unique ID assigned to it. Many CVEs do not have information about the versions of the affected software, and also end up late in the NVD. These have led to concerns regarding delays in updating the NVD after a vulnerability was discovered. According to the WhiteSource report, only "84% of known open source vulnerabilities appear in the NVD". This conclusion is echoed by another report from Synopsys, which advises to "look for a supplemental source to NVD data", and also in a study from RiskSense. Vulnture pulls data from vendor sources that disclose vulnerabilities to mitigate this as much as possible.
Vulnture is open source, and there are commercial offerings of similar tools. The term "Software Composition Analysis" (SCA) refers to a class of tools that can scan a product for its open source dependencies and their publicly disclosed vulnerabilities, if any. Sometimes the vulnerabilities exist in indirect dependencies, which according to a report by Snyk, account for the majority of vulnerabilities. SCA tools aim to mitigate the challenges brought on by manual tracking of such details. Some providers in this space include BlackDuck, Snyk, and WhiteSource (non-exhaustive list). SCA tools form a part of DevSecOps initiatives.
Vulnture’s source code is available on GitHub.