Metadata-Version: 2.4
Name: vunnel
Version: 0.40.1
Summary: vunnel ~= 'vulnerability data funnel'
Project-URL: repository, https://github.com/anchore/vunnel
Author-email: Alex Goodman <alex.goodman@anchore.com>
License: Apache-2.0
License-File: LICENSE
Keywords: aggregator,data,grype,vulnerability,vulnerability-data
Classifier: Development Status :: 5 - Production/Stable
Classifier: Intended Audience :: Developers
Classifier: Intended Audience :: Information Technology
Classifier: Intended Audience :: System Administrators
Classifier: Natural Language :: English
Classifier: Operating System :: MacOS
Classifier: Operating System :: POSIX :: Linux
Classifier: Topic :: Security
Classifier: Topic :: Software Development :: Libraries :: Python Modules
Classifier: Topic :: Utilities
Requires-Python: <3.14,>=3.11
Requires-Dist: click<9.0.0,>=8.1.3
Requires-Dist: colorlog<7.0.0,>=6.7.0
Requires-Dist: cvss<4.0,>=2.6
Requires-Dist: defusedxml<1.0.0,>=0.7.1
Requires-Dist: ijson<3.0,>=2.5.1
Requires-Dist: importlib-metadata<9.0.0,>=7.0.1
Requires-Dist: iso8601<3.0.0,>=2.1.0
Requires-Dist: mashumaro<4.0,>=3.10
Requires-Dist: mergedeep<2.0.0,>=1.3.4
Requires-Dist: oras<1.0.0,>=0.1.0
Requires-Dist: orjson<4.0.0,>=3.8.6
Requires-Dist: packageurl-python<1.0.0,>=0.16.0
Requires-Dist: pytest-snapshot<1.0.0,>=0.9.0
Requires-Dist: python-dateutil<3.0.0,>=2.8.2
Requires-Dist: pyyaml<7.0,>=6.0
Requires-Dist: requests<3.0.0,>=2.28.1
Requires-Dist: sqlalchemy>=2.0.43
Requires-Dist: xsdata[cli,lxml,soap]<23.0,>=22.12
Requires-Dist: xxhash<4.0.0,>=3.1.0
Requires-Dist: zstandard<0.24,>=0.22
Description-Content-Type: text/markdown

# vunnel

**A tool for fetching, transforming, and storing vulnerability data from a variety of sources.**

[![GitHub release](https://img.shields.io/github/release/anchore/vunnel.svg)](https://github.com/anchore/vunnel/releases/latest)
[![License: Apache-2.0](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://github.com/anchore/vunnel/blob/main/LICENSE)
[![Join our Discourse](https://img.shields.io/badge/Discourse-Join-blue?logo=discourse)](https://anchore.com/discourse)

![vunnel-demo](https://user-images.githubusercontent.com/590471/226942827-e19742ef-e66e-4e11-8f9b-fb74c40f1dee.gif)

Supported data sources:
- Alpine (https://secdb.alpinelinux.org)
- Amazon (https://alas.aws.amazon.com/AL2/alas.rss & https://alas.aws.amazon.com/AL2022/alas.rss)
- Azure (https://github.com/microsoft/AzureLinuxVulnerabilityData)
- Debian (https://security-tracker.debian.org/tracker/data/json & https://salsa.debian.org/security-tracker-team/security-tracker/raw/master/data/DSA/list)
- Echo (https://advisory.echohq.com/data.json)
- GitHub Security Advisories (https://api.github.com/graphql)
- NVD (https://services.nvd.nist.gov/rest/json/cves/2.0)
- Oracle (https://linux.oracle.com/security/oval)
- RedHat (https://www.redhat.com/security/data/oval)
- SLES (https://ftp.suse.com/pub/projects/security/oval)
- Ubuntu (https://launchpad.net/ubuntu-cve-tracker)
- Wolfi (https://packages.wolfi.dev)


## Installation

With pip:

```bash
pip install vunnel
```

With docker:

```bash
docker run \
  --rm -it \
  -v $(pwd)/data:/data \
  -v $(pwd)/.vunnel.yaml:/.vunnel.yaml \
    ghcr.io/anchore/vunnel:latest  \
      run nvd
```
Where:
  - the `data` volume keeps the processed data on the host
  - the `.vunnel.yaml` uses the host application config (if present)
  - you can swap `latest` for a specific version (same as the git tags)

See [the vunnel package](https://github.com/anchore/vunnel/pkgs/container/vunnel) for a full listing of available tags.


## Getting Started

List the available vulnerability data providers:

```
$ vunnel list

alpine
amazon
chainguard
debian
echo
github
mariner
minimos
nvd
oracle
rhel
sles
ubuntu
wolfi
```

Download and process a provider:

```
$ vunnel run wolfi

2023-01-04 13:42:58 root [INFO] running wolfi provider
2023-01-04 13:42:58 wolfi [INFO] downloading Wolfi secdb https://packages.wolfi.dev/os/security.json
2023-01-04 13:42:59 wolfi [INFO] wrote 56 entries
2023-01-04 13:42:59 wolfi [INFO] recording workspace state
```

You will see the processed vulnerability data in the local `./data` directory

```
$ tree data

data
└── wolfi
    ├── checksums
    ├── metadata.json
    ├── input
    │   └── secdb
    │       └── os
    │           └── security.json
    └── results
        └── wolfi:rolling
            ├── CVE-2016-2781.json
            ├── CVE-2017-8806.json
            ├── CVE-2018-1000156.json
            └── ...
```

*Note: to get more verbose output, use `-v`, `-vv`, or `-vvv` (e.g. `vunnel -vv run wolfi`)*

Delete existing input and result data for one or more providers:

```
$ vunnel clear wolfi

2023-01-04 13:48:31 root [INFO] clearing wolfi provider state
```

Example config file for changing application behavior:

```yaml
# .vunnel.yaml
root: ./processed-data

log:
  level: trace

providers:
  wolfi:
    request_timeout: 125
    runtime:
      existing_input: keep
      existing_results: delete-before-write
      on_error:
        action: fail
        input: keep
        results: keep
        retry_count: 3
        retry_delay: 10

```

Use `vunnel config` to get a better idea of all of the possible configuration options.


## FAQ


### Can I implement a new provider?

Yes you can! See [the provider docs](https://github.com/anchore/vunnel/blob/main/DEVELOPING.md#adding-a-new-provider) for more information.


### Why is it called "vunnel"?

This tool "funnels" vulnerability data into a single spot for easy processing... say "vulnerability data funnel" 100x fast enough and eventually it'll slur to "vunnel" :).
