Working with NuGet packages, scanning them for vulnerabilities is an important step in application development.
Most NuGet users can agree that even a critical vulnerability is difficult to exploit. That doesn’t change the fact developers need to be aware of these vulnerabilities, how they can affect code if a workaround is needed, and so on.
But when it comes to scanning for NuGet vulnerabilities, which database out of GHSA, CVE, and NVD is the best choice? Is there a significant distinction between these three major contenders?
This article explores the primary vulnerability databases and their relevance to NuGet vulnerability scanning.
GHSA, CVE, and NVD
The GitHub Advisory Database (GHSA) is a curated list of known security vulnerabilities grouped into either “GitHub Reviewed” advisories or unreviewed advisories. Reviewed entries have detailed information about the vulnerability and can be tracked on a GitHub dependency graph. GitHub sources its list of vulnerabilities from multiple locations, including…
The National Vulnerability Database (NVD) is a U.S. government repository of “standards-based vulnerability management data represented using the Security Content Automation Protocol (SCAP).” The NVD’s database can be used to automate vulnerability management and security measurement. It has a history, however, of being slow to update after a vulnerability is discovered. The NVD list is based upon and fully synchronized with…
The Common Vulnerabilities and Exposures (CVE) list a non-profit NGO launched by MITRE as a community effort, extensively documents publicly known information-security vulnerabilities and exposures. The CVE relies on Partners to publish CVE Records so there is consistency across the internet when discussing one vulnerability.
What’s the Difference?
All three of these databases do the same thing: report on discovered vulnerabilities.
We can see the main difference between the three via NuGet checking for vulnerabilities:
- The built-in vulnerability scanning available in NuGet references GitHub Advisories;
- GitHub Advisories references CVE;
- CVE references NVD for any more information.
The amount of information available sets the three apart. GitHub, again, is a curated list. While it may have many vulnerabilities listed, if the said vulnerability is “unreviewed” it may not have any details. CVE records all vulnerabilities reported to it, but it does not analyze all reports. NVD meanwhile does analyze CVE Records by aggregating data points from descriptions, references supplied, and any other supplementary public data.
Ultimately, this means NVD is the best source for vulnerabilities. Unfortunately, the built-in scanning in NuGet packages can only use GitHub Advisory.
How does this affect my NuGet Packages?
Vulnerabilities only appear on the lists after they’ve been reported, so anything a NuGet developer does will be retroactive. As mentioned at the top of the article, NuGet package vulnerabilities are practically impossible to exploit.
While it’s an important step in your security measures, NuGet vulnerability scanning doesn’t do more than connect to publicly available databases. Automating your vulnerability scans with tools like ProGet can help up your measures, but we also recommend introducing a routine human-reviewed process for any packages you may download from open-source websites.
Other steps you can take to help promote NuGet standards to your team are encouraging best authoring practices or setting up filters to avoid unwanted NuGet packages.
Did you find this article helpful? Are you using NuGet to make your .NET packages? Learn how to optimize your NuGet in the Enterprise; sign up for our free NuGet guide: