GitHub vs. CVE vs. NVD, What's the Best for NuGet Vulnerability Scanning?
by Eric Seng, on Feb 1, 2022 10:03:00 AM
For NuGet packages, a vulnerability isn’t the end of the world.
Most NuGet users can agree that even a critical vulnerability is difficult to exploit. That doesn’t change the fact developers need to be aware of these vulnerabilities, how they can affect code, if a work-around is needed, and so on.
What’s the best database to check for NuGet vulnerabilities? Is there even a difference between the big three?
This article will detail the main vulnerabilities databases and how they all relate to NuGet vulnerability scanning.
GitHub Advisories, CVE, and NVD
The GitHub Advisory Database is a curated list of known security vulnerabilities grouped into either “GitHub Reviewed” advisories, or unreviewed advisories. Reviewed entries have detailed information about the vulnerability and can be tracked on a GitHub dependency graph. GitHub sources it’s list of vulnerabilities from multiple locations, including…
The National Vulnerability Database (NVD), a U.S government repository of “standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP).” The NVD’s database can be used to automate vulnerability management and security measurement. It has a history, however, of being slow to update after a vulnerability is discovered. The NVD list is based upon and fully synchronized with...
The Common Vulnerabilities and Exposures (CVE) list, non-profit NGO launched by MITRE as a community effort, extensively documents publicly known information-security vulnerabilities and exposures. The CVE relies on Partners to publish CVE Records so there is consistent across the internet when discussing one vulnerability.
What’s the Difference?
All three of these databases do the same thing: report on discovered vulnerabilities.
We can see the main difference between the three via NuGet checking for vulnerabilities:
- The built-in vulnerability scanning available in NuGet references GitHub Advisories;
- GitHub Advisories references CVE;
- CVE references NVD for any more information.
The amount of information available sets the three apart. GitHub, again, is a curated list. While it may have many vulnerabilities listed, if said vulnerability is “unreviewed” it may not have any details. CVE records all vulnerabilities reported to it, but it does not analyze all reports. NVD meanwhile does analyze CVE Records by aggregating data points from descriptions, references supplied, and any other supplementary public data.
Ultimately, this means NVD is the best source for vulnerabilities. Unfortunately, the built-in scanning in NuGet packages can only use GitHub Advisory.
How does this affect my NuGet Packages?
Vulnerabilities only appear on the lists after they’ve been reported, so anything a NuGet developer does will be retroactive. Like mentioned at the top of the article, NuGet package vulnerabilities are practically impossible to exploit.
While it’s an important step in your security measures, NuGet vulnerability scanning doesn’t do more than connect to publicly available databases. Automating your vulnerability scans with tools like ProGet can help up your measures, but we also recommend introducing routine human-reviewed process for any packages you may download from open-source websites.
Did you find this article helpful? Are you using NuGet to make your .NET packages? Learn how to optimize your NuGet in the Enterprise; sign up for our free NuGet guide: