Exploit & Vulnerability Intelligence

Package Manager Support

VulnCheck Exploit & Vulnerability Intelligence supports a wide range of both Open Source Software library package managers and Operating System package managers.

VulnCheck Exploit & Vulnerability Intelligence tracks package dependencies across a wide range of programming language package managers and Operating System package managers.

For tracked packages, VulnCheck includes vulnerability, license, research attributes, and fix information when possible.

Supported Programming Language Package Managers

Below is a list of currently supported Programming Language package managers:

Package Manager	Index Name	Example Detection
Cargo (Rust)	cargo	https://api.vulncheck.com/v3/purl?purl=pkg:cargo/fltk@0.13.9
CocoaPods (Swift, Objective-C)	cocoapods	https://api.vulncheck.com/v3/purl?purl=pkg:cocoapods/OLMKit@3.1.0
Composer (PHP)	composer	https://api.vulncheck.com/v3/purl?purl=pkg:composer/shopware/platform@6.4.19.0
Conan (C/C++)	conan	https://api.vulncheck.com/v3/purl?purl=pkg:conan/assimp@5.1.0
gem (Ruby)	gem	https://api.vulncheck.com/v3/purl?purl=pkg:gem/rack@2.2.6.3
Golang	golang	https://api.vulncheck.com/v3/purl?purl=pkg:golang/google.golang.org/grpc@v1.52.0-dev.0.20221122221613-09fc1a349826
Hackage (Haskell)	hackage	https://api.vulncheck.com/v3/purl?purl=pkg:hackage/aeson@0.3.2.8
hex (Erlang, Elixir)	hex	https://api.vulncheck.com/v3/purl?purl=pkg:hex/coherence@0.1.2
Maven (Java, Scala, Kotlin, Clojure, Groovy, Gosu)	maven	https://api.vulncheck.com/v3/purl?purl=pkg:maven/org.keycloak/keycloak-services@21.0.0
npm (JavaScript, TypeScript, CoffeeScript, Scala.js)	npm	https://api.vulncheck.com/v3/purl?purl=pkg:npm/sysend@1.3.2
NuGet (C#, F#, Visual Basic)	nuget	https://api.vulncheck.com/v3/purl?purl=pkg:nuget/Masuit.Tools.Core@1.9.5.1
opam (OCaml)	opam	https://api.vulncheck.com/v3/purl?purl=pkg:opam/jose@0.8.1
PyPI (Python)	pypi	https://api.vulncheck.com/v3/purl?purl=pkg:pypi/aioxmpp@0.6.0
Pub (Dart/Flutter)	pub	https://api.vulncheck.com/v3/purl?purl=pkg:pub/archive@1.0.8
Swift	swift	https://api.vulncheck.com/v3/purl?purl=pkg:swift/github.com/vapor/leaf-kit@1.0.0

Supported Operating System Package Managers

Below is a list of currently supported Operating System package managers:

Package Manager	Index Name	Example Detection
Alma Linux	alma	https://api.vulncheck.com/v3/purl?purl=pkg:rpm/alma/dovecot@2.3.16-2.el8%3Fdistro=almalinux-8
Alpine Linux	alpine	https://api.vulncheck.com/v3/purl?purl=pkg:apk/alpine/curl@7.54.0-r0?arch=x86
Amazon Linux	amazon	https://api.vulncheck.com/v3/purl?purl=pkg:rpm/amazon/openswan@2.6.36-2.15%3Farch=x86_64%26distro=amazon-linux-1
Arch Linux	arch	https://api.vulncheck.com/v3/purl?purl=pkg:alpm/arch/linux-zen@5.9.6.zen1-1%3Farch=x86_64%26distro=arch
CBL-Mariner	cbl-mariner	https://api.vulncheck.com/v3/purl?purl=pkg:rpm/cbl-mariner/busybox@1.31.0-21
CentOS	centos	https://api.vulncheck.com/v3/purl?purl=pkg:rpm/centos/ipsec-tools@0.2.5-0.7?arch=i386&distro=rhel3.3
Chainguard	chainguard	https://api.vulncheck.com/v3/purl?purl=pkg:apk/chainguard/zlib@1.2.11-r3?arch=x86
Debian	debian	https://api.vulncheck.com/v3/purl?purl=pkg:deb/debian/e2fsprogs@1.46.2-2?arch=arm64%26distro=debian-11
Fedora Linux	fedora	https://api.vulncheck.com/v3/purl?purl=pkg:rpm/fedora/bsdtar@3.6.0-3.fc37%3Farch=x86_64%26distro=fedora-37
Oracle Linux	oracle	https://api.vulncheck.com/v3/purl?purl=pkg:rpm/oracle/bash@3.2-33.el5.1.0.1%3Farch=x86_64%26distro=oracle-linux-5
Red Hat Enterprise Linux (RHEL)	redhat	https://api.vulncheck.com/v3/purl?purl=pkg:rpm/redhat/bash-0@4.4.18-14.el8%3Farch=x86_64%26distro=redhat-enterprise-linux-8.0
Rocky Linux	rocky	https://api.vulncheck.com/v3/purl?purl=pkg:rpm/rocky/libidn2@2.1.2.el8%3Farch=x86_64%26distro=rocky-8
SUSE Linux Enterprise Server (SLES)	suse	https://api.vulncheck.com/v3/purl?purl=pkg:rpm/suse/GraphicsMagick-devel@1.3.25%3Farch=x86_64%26distro=opensuse-leap-42.3
Ubuntu Linux	ubuntu	https://api.vulncheck.com/v3/purl?purl=pkg:deb/ubuntu/vim@2:8.1.2269-1ubuntu5.12%3Fdistro=ubuntu-22.04
Wolfi	wolfi	https://api.vulncheck.com/v3/purl?purl=pkg:apk/wolfi/zlib@1.2.11-r3?arch=x86

Query by Package URL

To query for vulnerabilities by Package URL (purl), simply call /v3/purl?purl=:purl as follows:

curl --request GET \
    --url https://api.vulncheck.com/v3/purl?purl=pkg:pypi/aioxmpp@0.6.0 \
    --header 'Accept: application/json' \
    --header 'Authorization: Bearer insert_token_here'

package main

import (
  "encoding/json"
    "fmt"
  "log"
    "github.com/vulncheck-oss/sdk-go"
)

func main() {
    client := sdk.Connect("https://api.vulncheck.com", "insert_token_here")
    response, err := client.GetPurl("pkg:pypi/aioxmpp@0.6.0")

    if err != nil {
        panic(err)
    }

    prettyJSON, err := json.MarshalIndent(response.Data, "", "  ")
    if err != nil {
        log.Fatalf("Failed to generate JSON: %v", err)
        return
    }

    fmt.Println(string(prettyJSON))
}

import vulncheck_sdk

configuration = vulncheck_sdk.Configuration(host="https://api.vulncheck.com/v3")
configuration.api_key["Bearer"] = "insert_token_here"

with vulncheck_sdk.ApiClient(configuration) as api_client:
    endpoints_client = vulncheck_sdk.EndpointsApi(api_client)

    api_response = endpoints_client.purl_get("pkg:pypi/aioxmpp@0.6.0")

    print(api_response.data)

vulncheck purl "pkg:pypi/aioxmpp@0.6.0"

The above example requests a list of vulnerabilities in version 0.6.0 of the aioxmpp package from pypi.

Download Offline Backup

To request a specific offline backup, simply call /v3/backup/:index as follows:

curl --request GET \
    --url https://api.vulncheck.com/v3/backup/gem \
    --header 'Accept: application/json' \
    --header 'Authorization: Bearer insert_token_here'

package main

import (
    "fmt"
    "github.com/vulncheck-oss/sdk-go"
)

func main() {
    client := sdk.Connect("https://api.vulncheck.com", "insert_token_here")
    response, err := client.GetIndexBackup("gem")

    if err != nil {
        panic(err)
    }

    fmt.Println(response.Urls())
}

import vulncheck_sdk

configuration = vulncheck_sdk.Configuration(host="https://api.vulncheck.com/v3")
configuration.api_key["Bearer"] = "insert_token_here"

with vulncheck_sdk.ApiClient(configuration) as api_client:
    endpoints_client = vulncheck_sdk.EndpointsApi(api_client)

    api_response = endpoints_client.backup_index_get("gem")

    print(api_response.data[0].url)

vulncheck backup download gem

The above example requests an offline backup for the gem index, which is the index tracking Ruby Gems. Note: downloading an offline backup requires a paid subscription license to VulnCheck.

NVD Migration

Package URL Detections