This is the multi-page printable view of this section.
Click here to print.
Return to the regular view of this page.
This is the multi-page printable view of this section.
Click here to print.
Return to the regular view of this page.
Open-source packages are invaluable as they not only reduce costs but also foster community-driven improvements, enabling users to customize solutions to fit specific needs.
By discovering these open-source frameworks, users can tap into a wealth of resources to enhance their projects, streamline workflows, and contribute to the broader open-source community.
Endor Labs Vulnerability Database is a comprehensive database of vulnerabilities in open-source packages. It is updated daily and provides a wealth of information on vulnerabilities.
Endor Labs provides DroidGPT to search for open-source packages and vulnerabilities. You can also use Endor Labs to search for AI models.
The following sections provide information on how to discover open-source packages and vulnerabilities.
Search for Open Source Packages
Open source packages provide flexible, customizable software solutions that can significantly reduce development costs and time, while also fostering innovation through community collaboration.
To look for open source packages, navigate to Discover > OSS Packages.
-
Type in the search bar to look for open source packages and click Search Open Source Packages.
-
Select a search result to view more details.
-
Choose the Ecosystem and click Search Open Source Packages to look for packages by their ecosystem.
Endor Labs Vulnerability Database
A vulnerability is a security weakness in a software package that attackers can exploit to compromise systems, steal data, or disrupt operations. Open-source software often contains vulnerabilities that can introduce risks to your organization, if not managed properly.
Endor Labs vulnerability database is a comprehensive compilation of known software vulnerabilities. You can search the vulnerability database to identify and discover vulnerabilities within your software dependencies.
The following are the vulnerability IDs that can be used to search within the Endor Labs platform:
| Identifier type |
Example |
Description |
| CVE ID |
CVE-2023-45678 |
The most common global identifier for vulnerabilities. It is managed by MITRE and is widely used. |
| GHSA ID |
GHSA-xxxx-xxxx-xxxx |
GitHub Security Advisory ID for vulnerabilities reported by GitHub. |
| PySEC ID |
PYSEC-2023-123 |
Identifier for vulnerabilities in Python packages, sourced from the Python Packaging Advisory Database. |
| MAL ID |
MAL-xxxx-xxxx |
Identifier for malware advisories. The data is sourced from OSV and flags packages linked to malicious activity. |
Note
Vulnerability searches are supported only for identifiers included in the meta.name or spec.aliases fields.
Search for a vulnerability
Search for vulnerabilities using supported security identifiers across your software dependencies.
-
Sign in to Endor Labs and select Discover > Vulnerabilities from the left sidebar.
-
Type a search query using a vulnerability ID (for example, CVE, GHSA) and click Search Vulnerabilities.
You can view detailed information including the name of the vulnerability, CVE ID, vulnerability’s severity, description, and metadata to help users quickly identify important details about a vulnerability.
-
Select Affected Packages to view a list of all software packages impacted by the identified vulnerability, including their names, introduced and fixed versions, and the source of the vulnerability data.
-
Select a package to view its details.
-
Overview: Shows affected and fixed versions, severity, available patches, impacted classes, and a link to the fix commit. It helps users understand the issue and take necessary remediation steps.
-
Endor Details: Shows affected call paths and file paths to help identify where the vulnerable code is used and how it may be triggered in the project
-
Impact: Shows each package version, along with the number of findings, how many projects use it, and how many other packages depend on it
-
Select Containers to see all container images in your organization with known vulnerabilities. It lists which packages are affected, where the issues were introduced, whether fixes are available, and the severity of the issues.
