When working with NuGet packages, scanning them for vulnerabilities is an important step in application development. Sure, a lot of NuGet users will tell you that even critical vulnerabilities are pretty unlikely to be exploited, but that doesn’t mean you can just ignore them. Developers still need to know what’s lurking out there, how they can affect code, if a workaround is needed, and so on.

But, when it comes to scanning NuGet packages for vulnerabilities, which database is the best choice? GHSA, CVE, NVD—what’s the real difference between these heavy hitters?

In this article, we’ll explore the primary vulnerability databases, their backgrounds, differences, and their relevance and functionality to NuGet package vulnerability scanning.

GHSA, CVE, and NVD

The GitHub Advisory Database (GHSA) is essentially a curated list of known security vulnerabilities, split into two buckets: “GitHub Reviewed” advisories, which have detailed information about the vulnerability and can be tracked on a GitHub dependency graph, and unreviewed advisories. GitHub pulls its list of vulnerabilities from different sources, including…

The National Vulnerability Database (NVD) is the U.S. government’s repository of “standards-based vulnerability management data,” represented using the Security Content Automation Protocol (SCAP). You can use the NVD to automate vulnerability management and security measurement. That said, it’s known for being a bit slow to update after new vulnerabilities pop up. The NVD list is based on and fully synced with…

The Common Vulnerabilities and Exposures (CVE) list, a non-profit NGO launched by MITRE as a community effort, extensively documents publicly known information-security vulnerabilities and exposures. The CVE relies on partners to publish CVE records, so everyone’s on the same page when talking about a specific vulnerability across the internet.

What’s the Difference?

All three of these databases do the same thing: report on discovered vulnerabilities. We can see the main difference between the three in how NuGet checks for vulnerabilities:

⚙ The built-in vulnerability scanning available in NuGet references GitHub Advisories;

⚙ GitHub Advisories references CVE;

⚙ CVE references NVD for any more information.

What really sets these three apart is how much info they actually give you. GitHub’s got a curated list, which might have many vulnerabilities listed, but if a vulnerability is marked “unreviewed,” you might get stuck with zero details. CVE records all reported vulnerabilities, but doesn’t analyze all reports. NVD, on the other hand, does analyze CVE records, pulling data from descriptions, references, and any extra public info it can find.

Long Story short: NVD’s your go-to for the most detailed vulnerability info. The problem? NuGet’s built-in scanning can only pull from the GitHub Advisory Database.

How does this affect my NuGet Packages?

Vulnerabilities only appear on each list after they’ve been reported, so any workarounds a NuGet developer whips up will be retroactive. Luckily, these NuGet package vulnerabilities are practically impossible to exploit.

While an important security measure, vulnerability scanning doesn’t accomplish more than connecting to publicly available databases. Automating your vulnerability scans with tools like ProGet is a step in the right direction, but we recommend introducing routine manual reviews for any packages you may download from open-source websites. Other steps you can take to help promote NuGet standards in your teams are encouraging best authoring practices or setting up filters to avoid unwanted NuGet packages.

You’ll probably want to refer to this again at some point so be sure to save this page for when you need it! For more insights, check out our eBook, “NuGet at Scale”. It’s packed with info on filtering unwanted packages, debugging NuGet packages with Symbols and Source Link, and much more! Grab your free copy today!