FutureVuls Blog

  • Home
  • Blog
  • あなただけのvuls.dbを作ろう!
Blog Techカテゴリ OSS

あなただけのvuls.dbを作ろう!

はじめに

Vulsエージェントレス で動く OSS の脆弱性スキャナです。

複数 OS・ミドルウェアを横断してスキャンできますが、その裏側では

  • NVD/OVAL/CVE List など 多種多様な脆弱性データベース
  • それぞれフォーマットも更新タイミングも異なる
  • 脆弱性DBのフェッチが面倒

という課題がありました。

そこで登場したのが vuls.db です。
従来のgo-cve-dictionarygoval-dictionarygost などのDBを1つにまとめ、さらに VEX・CSAF など次世代フォーマット も取り込める “統合 DB” として進化しています。

vuls.dbは次のようにFetchとExtract、DBの3つの工程を経て、作成・配布されます。

CI

このブログでは

  1. 自分専用の vuls.db を作る手順
  2. GitHub Actions で自動ビルドする方法
  3. 3 つのユースケース

を解説します。

💡 誰に向けた記事?

  1. オフィシャルで採用されていないデータソースを使いたい人
  2. オフィシャル vuls.db に含まれる不要データを省きたい人
  3. 社内/サードパーティ製の独自データソースを追加したい人

あなただけのvuls.dbの作り方

早速、vuls.dbを作ってみましょう!
今回は、RedHat VEXとCVEProject CVE List V5が入ったvuls.dbを作りたいと思います。

はじめに、vuls.dbを作成するために必要なツールをインストールします。

1
2
3
 
# require go 1.24 or higher
$ go install github.com/MaineK00n/vuls2/cmd/vuls@nightly
$ go install github.com/MaineK00n/vuls-data-update/cmd/vuls-data-update@nightly

続いて、vulsとvuls-data-updateを利用して、vuls.dbを作っていきます。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
 
$ vuls db init --dbpath ./vuls.db
2025/05/01 12:09:16 INFO Delete All Data
2025/05/01 12:09:16 INFO Initialize DB
2025/05/01 12:09:16 INFO Put Metadata

$ vuls-data-update dotgit pull --dir . --restore ghcr.io/vulsio/vuls-data-db:vuls-data-extracted-redhat-vex
2025/05/01 12:10:06 [INFO] Pull dotgit from ghcr.io/vulsio/vuls-data-db:vuls-data-extracted-redhat-vex

$ vuls db add --dbpath vuls.db vuls-data-extracted-redhat-vex
2025/05/01 12:31:26 INFO Get Metadata
2025/05/01 12:31:26 INFO Put Vulnerability Data
2025/05/01 12:33:21 INFO Put DataSource
2025/05/01 12:33:21 INFO Put Metadata

$ rm -rf vuls-data-extracted-redhat-vex

$ vuls-data-update dotgit pull --dir . --restore ghcr.io/vulsio/vuls-data-db:vuls-data-extracted-mitre-v5
2025/05/01 12:10:06 [INFO] Pull dotgit from ghcr.io/vulsio/vuls-data-db:vuls-data-extracted-mitre-v5

$ vuls db add --dbpath vuls.db vuls-data-extracted-mitre-v5
2025/05/01 12:34:18 INFO Get Metadata
2025/05/01 12:34:18 INFO Put Vulnerability Data
2025/05/01 12:34:33 INFO Put DataSource
2025/05/01 12:34:33 INFO Put Metadata

$ rm -rf vuls-data-extracted-mitre-v5

では、作成したvuls.dbからCVEを検索してみましょう。

vuls db search data vulnerability --dbpath vuls.db CVE-2025-4091 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
 
$ vuls db search data vulnerability --dbpath vuls.db CVE-2025-4091
2025/05/01 12:37:37 INFO Get Metadata
2025/05/01 12:37:37 INFO Get Vulnerability Data "vulnerability id"=CVE-2025-4091
{
  "id": "CVE-2025-4091",
  "vulnerabilities": [
    {
      "id": "CVE-2025-4091",
      "contents": {
        "mitre-v5": {
          "CVE-2025-4091": [
            {
              "content": {
                "id": "CVE-2025-4091",
                "description": "Memory safety bugs present in Firefox 137, Thunderbird 137, Firefox ESR 128.9, and Thunderbird 128.9. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 138, Firefox ESR < 128.10, Thunderbird < 138, and Thunderbird ESR < 128.10.",
                "severity": [
                  {
                    "type": "cvss_v31",
                    "source": "CISA-ADP",
                    "cvss_v31": {
                      "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
                      "base_score": 6.5,
                      "base_severity": "MEDIUM",
                      "temporal_score": 6.5,
                      "temporal_severity": "MEDIUM",
                      "environmental_score": 6.5,
                      "environmental_severity": "MEDIUM"
                    }
                  }
                ],
                "cwe": [
                  {
                    "source": "CISA-ADP",
                    "cwe": [
                      "CWE-119"
                    ]
                  }
                ],
                "references": [
                  {
                    "source": "mozilla",
                    "url": "https://bugzilla.mozilla.org/buglist.cgi?bug_id=1951161%2C1952105"
                  },
                  {
                    "source": "mozilla",
                    "url": "https://www.mozilla.org/security/advisories/mfsa2025-28/"
                  },
                  {
                    "source": "mozilla",
                    "url": "https://www.mozilla.org/security/advisories/mfsa2025-29/"
                  },
                  {
                    "source": "mozilla",
                    "url": "https://www.mozilla.org/security/advisories/mfsa2025-31/"
                  },
                  {
                    "source": "mozilla",
                    "url": "https://www.mozilla.org/security/advisories/mfsa2025-32/"
                  }
                ],
                "published": "2025-04-29T13:13:48.089Z",
                "modified": "2025-04-29T15:37:05.713Z"
              }
            }
          ]
        },
        "redhat-vex": {
          "CVE-2025-4091": [
            {
              "content": {
                "id": "CVE-2025-4091",
                "title": "firefox: thunderbird: Memory safety bugs fixed in Firefox 138, Thunderbird 138, Firefox ESR 128.10, and Thunderbird 128.10",
                "description": "No description is available for this CVE.",
                "severity": [
                  {
                    "type": "vendor",
                    "source": "secalert@redhat.com",
                    "vendor": "Moderate"
                  },
                  {
                    "type": "cvss_v31",
                    "source": "secalert@redhat.com",
                    "cvss_v31": {
                      "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
                      "base_score": 7.5,
                      "base_severity": "HIGH",
                      "temporal_score": 7.5,
                      "temporal_severity": "HIGH",
                      "environmental_score": 7.5,
                      "environmental_severity": "HIGH"
                    }
                  }
                ],
                "cwe": [
                  {
                    "source": "secalert@redhat.com",
                    "cwe": [
                      "CWE-120"
                    ]
                  }
                ],
                "references": [
                  {
                    "source": "secalert@redhat.com",
                    "url": "https://access.redhat.com/security/cve/CVE-2025-4091"
                  },
                  {
                    "source": "secalert@redhat.com",
                    "url": "https://bugzilla.mozilla.org/buglist.cgi?bug_id=1951161%2C1952105"
                  },
                  {
                    "source": "secalert@redhat.com",
                    "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2362912"
                  },
                  {
                    "source": "secalert@redhat.com",
                    "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-4091"
                  },
                  {
                    "source": "secalert@redhat.com",
                    "url": "https://www.cve.org/CVERecord?id=CVE-2025-4091"
                  },
                  {
                    "source": "secalert@redhat.com",
                    "url": "https://www.mozilla.org/security/advisories/mfsa2025-28/"
                  },
                  {
                    "source": "secalert@redhat.com",
                    "url": "https://www.mozilla.org/security/advisories/mfsa2025-29/"
                  },
                  {
                    "source": "secalert@redhat.com",
                    "url": "https://www.mozilla.org/security/advisories/mfsa2025-31/"
                  },
                  {
                    "source": "secalert@redhat.com",
                    "url": "https://www.mozilla.org/security/advisories/mfsa2025-32/"
                  }
                ],
                "published": "2025-04-29T13:13:48.089Z",
                "modified": "2025-04-29T18:48:40Z"
              },
              "segments": [
                {
                  "ecosystem": "redhat:6",
                  "tag": "0d9a16a0-83eb-7fa7-ead1-1d874f3f9523"
                }
              ]
            },
            {
              "content": {
                "id": "CVE-2025-4091",
                "title": "firefox: thunderbird: Memory safety bugs fixed in Firefox 138, Thunderbird 138, Firefox ESR 128.10, and Thunderbird 128.10",
                "description": "No description is available for this CVE.",
                "severity": [
                  {
                    "type": "vendor",
                    "source": "secalert@redhat.com",
                    "vendor": "Moderate"
                  },
                  {
                    "type": "cvss_v31",
                    "source": "secalert@redhat.com",
                    "cvss_v31": {
                      "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
                      "base_score": 7.5,
                      "base_severity": "HIGH",
                      "temporal_score": 7.5,
                      "temporal_severity": "HIGH",
                      "environmental_score": 7.5,
                      "environmental_severity": "HIGH"
                    }
                  }
                ],
                "cwe": [
                  {
                    "source": "secalert@redhat.com",
                    "cwe": [
                      "CWE-120"
                    ]
                  }
                ],
                "references": [
                  {
                    "source": "secalert@redhat.com",
                    "url": "https://access.redhat.com/security/cve/CVE-2025-4091"
                  },
                  {
                    "source": "secalert@redhat.com",
                    "url": "https://bugzilla.mozilla.org/buglist.cgi?bug_id=1951161%2C1952105"
                  },
                  {
                    "source": "secalert@redhat.com",
                    "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2362912"
                  },
                  {
                    "source": "secalert@redhat.com",
                    "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-4091"
                  },
                  {
                    "source": "secalert@redhat.com",
                    "url": "https://www.cve.org/CVERecord?id=CVE-2025-4091"
                  },
                  {
                    "source": "secalert@redhat.com",
                    "url": "https://www.mozilla.org/security/advisories/mfsa2025-28/"
                  },
                  {
                    "source": "secalert@redhat.com",
                    "url": "https://www.mozilla.org/security/advisories/mfsa2025-29/"
                  },
                  {
                    "source": "secalert@redhat.com",
                    "url": "https://www.mozilla.org/security/advisories/mfsa2025-31/"
                  },
                  {
                    "source": "secalert@redhat.com",
                    "url": "https://www.mozilla.org/security/advisories/mfsa2025-32/"
                  }
                ],
                "published": "2025-04-29T13:13:48.089Z",
                "modified": "2025-04-29T18:48:40Z"
              },
              "segments": [
                {
                  "ecosystem": "redhat:7",
                  "tag": "37f3937f-8123-7add-abf7-cf9f6a1e892e"
                }
              ]
            },
            {
              "content": {
                "id": "CVE-2025-4091",
                "title": "firefox: thunderbird: Memory safety bugs fixed in Firefox 138, Thunderbird 138, Firefox ESR 128.10, and Thunderbird 128.10",
                "description": "No description is available for this CVE.",
                "severity": [
                  {
                    "type": "vendor",
                    "source": "secalert@redhat.com",
                    "vendor": "Moderate"
                  },
                  {
                    "type": "cvss_v31",
                    "source": "secalert@redhat.com",
                    "cvss_v31": {
                      "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
                      "base_score": 7.5,
                      "base_severity": "HIGH",
                      "temporal_score": 7.5,
                      "temporal_severity": "HIGH",
                      "environmental_score": 7.5,
                      "environmental_severity": "HIGH"
                    }
                  }
                ],
                "cwe": [
                  {
                    "source": "secalert@redhat.com",
                    "cwe": [
                      "CWE-120"
                    ]
                  }
                ],
                "references": [
                  {
                    "source": "secalert@redhat.com",
                    "url": "https://access.redhat.com/security/cve/CVE-2025-4091"
                  },
                  {
                    "source": "secalert@redhat.com",
                    "url": "https://bugzilla.mozilla.org/buglist.cgi?bug_id=1951161%2C1952105"
                  },
                  {
                    "source": "secalert@redhat.com",
                    "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2362912"
                  },
                  {
                    "source": "secalert@redhat.com",
                    "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-4091"
                  },
                  {
                    "source": "secalert@redhat.com",
                    "url": "https://www.cve.org/CVERecord?id=CVE-2025-4091"
                  },
                  {
                    "source": "secalert@redhat.com",
                    "url": "https://www.mozilla.org/security/advisories/mfsa2025-28/"
                  },
                  {
                    "source": "secalert@redhat.com",
                    "url": "https://www.mozilla.org/security/advisories/mfsa2025-29/"
                  },
                  {
                    "source": "secalert@redhat.com",
                    "url": "https://www.mozilla.org/security/advisories/mfsa2025-31/"
                  },
                  {
                    "source": "secalert@redhat.com",
                    "url": "https://www.mozilla.org/security/advisories/mfsa2025-32/"
                  }
                ],
                "published": "2025-04-29T13:13:48.089Z",
                "modified": "2025-04-29T18:48:40Z"
              },
              "segments": [
                {
                  "ecosystem": "redhat:7",
                  "tag": "ea4d92b2-f08d-8201-dfcc-1897ad44b77a"
                }
              ]
            },
            {
              "content": {
                "id": "CVE-2025-4091",
                "title": "firefox: thunderbird: Memory safety bugs fixed in Firefox 138, Thunderbird 138, Firefox ESR 128.10, and Thunderbird 128.10",
                "description": "No description is available for this CVE.",
                "severity": [
                  {
                    "type": "vendor",
                    "source": "secalert@redhat.com",
                    "vendor": "Moderate"
                  },
                  {
                    "type": "cvss_v31",
                    "source": "secalert@redhat.com",
                    "cvss_v31": {
                      "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
                      "base_score": 7.5,
                      "base_severity": "HIGH",
                      "temporal_score": 7.5,
                      "temporal_severity": "HIGH",
                      "environmental_score": 7.5,
                      "environmental_severity": "HIGH"
                    }
                  }
                ],
                "cwe": [
                  {
                    "source": "secalert@redhat.com",
                    "cwe": [
                      "CWE-120"
                    ]
                  }
                ],
                "references": [
                  {
                    "source": "secalert@redhat.com",
                    "url": "https://access.redhat.com/security/cve/CVE-2025-4091"
                  },
                  {
                    "source": "secalert@redhat.com",
                    "url": "https://bugzilla.mozilla.org/buglist.cgi?bug_id=1951161%2C1952105"
                  },
                  {
                    "source": "secalert@redhat.com",
                    "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2362912"
                  },
                  {
                    "source": "secalert@redhat.com",
                    "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-4091"
                  },
                  {
                    "source": "secalert@redhat.com",
                    "url": "https://www.cve.org/CVERecord?id=CVE-2025-4091"
                  },
                  {
                    "source": "secalert@redhat.com",
                    "url": "https://www.mozilla.org/security/advisories/mfsa2025-28/"
                  },
                  {
                    "source": "secalert@redhat.com",
                    "url": "https://www.mozilla.org/security/advisories/mfsa2025-29/"
                  },
                  {
                    "source": "secalert@redhat.com",
                    "url": "https://www.mozilla.org/security/advisories/mfsa2025-31/"
                  },
                  {
                    "source": "secalert@redhat.com",
                    "url": "https://www.mozilla.org/security/advisories/mfsa2025-32/"
                  }
                ],
                "published": "2025-04-29T13:13:48.089Z",
                "modified": "2025-04-29T18:48:40Z"
              },
              "segments": [
                {
                  "ecosystem": "redhat:8",
                  "tag": "bcdf4563-7820-d6f7-381f-ef342a1f9ce1"
                }
              ]
            },
            {
              "content": {
                "id": "CVE-2025-4091",
                "title": "firefox: thunderbird: Memory safety bugs fixed in Firefox 138, Thunderbird 138, Firefox ESR 128.10, and Thunderbird 128.10",
                "description": "No description is available for this CVE.",
                "severity": [
                  {
                    "type": "vendor",
                    "source": "secalert@redhat.com",
                    "vendor": "Moderate"
                  },
                  {
                    "type": "cvss_v31",
                    "source": "secalert@redhat.com",
                    "cvss_v31": {
                      "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
                      "base_score": 7.5,
                      "base_severity": "HIGH",
                      "temporal_score": 7.5,
                      "temporal_severity": "HIGH",
                      "environmental_score": 7.5,
                      "environmental_severity": "HIGH"
                    }
                  }
                ],
                "cwe": [
                  {
                    "source": "secalert@redhat.com",
                    "cwe": [
                      "CWE-120"
                    ]
                  }
                ],
                "references": [
                  {
                    "source": "secalert@redhat.com",
                    "url": "https://access.redhat.com/security/cve/CVE-2025-4091"
                  },
                  {
                    "source": "secalert@redhat.com",
                    "url": "https://bugzilla.mozilla.org/buglist.cgi?bug_id=1951161%2C1952105"
                  },
                  {
                    "source": "secalert@redhat.com",
                    "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2362912"
                  },
                  {
                    "source": "secalert@redhat.com",
                    "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-4091"
                  },
                  {
                    "source": "secalert@redhat.com",
                    "url": "https://www.cve.org/CVERecord?id=CVE-2025-4091"
                  },
                  {
                    "source": "secalert@redhat.com",
                    "url": "https://www.mozilla.org/security/advisories/mfsa2025-28/"
                  },
                  {
                    "source": "secalert@redhat.com",
                    "url": "https://www.mozilla.org/security/advisories/mfsa2025-29/"
                  },
                  {
                    "source": "secalert@redhat.com",
                    "url": "https://www.mozilla.org/security/advisories/mfsa2025-31/"
                  },
                  {
                    "source": "secalert@redhat.com",
                    "url": "https://www.mozilla.org/security/advisories/mfsa2025-32/"
                  }
                ],
                "published": "2025-04-29T13:13:48.089Z",
                "modified": "2025-04-29T18:48:40Z"
              },
              "segments": [
                {
                  "ecosystem": "redhat:9",
                  "tag": "280a9a2e-4522-b000-14a0-463d5bdecfdc"
                }
              ]
            }
          ]
        }
      }
    }
  ],
  "detections": [
    {
      "ecosystem": "redhat:6",
      "contents": {
        "CVE-2025-4091": {
          "redhat-vex": [
            {
              "criteria": {
                "operator": "OR",
                "criterions": [
                  {
                    "type": "version",
                    "version": {
                      "vulnerable": true,
                      "fix_status": {
                        "class": "unfixed",
                        "vendor": "Out of support scope"
                      },
                      "package": {
                        "type": "source",
                        "source": {
                          "name": "firefox"
                        }
                      }
                    }
                  },
                  {
                    "type": "version",
                    "version": {
                      "vulnerable": true,
                      "fix_status": {
                        "class": "unfixed",
                        "vendor": "Out of support scope"
                      },
                      "package": {
                        "type": "source",
                        "source": {
                          "name": "thunderbird"
                        }
                      }
                    }
                  }
                ]
              },
              "tag": "0d9a16a0-83eb-7fa7-ead1-1d874f3f9523"
            }
          ]
        }
      }
    },
    {
      "ecosystem": "redhat:7",
      "contents": {
        "CVE-2025-4091": {
          "redhat-vex": [
            {
              "criteria": {
                "operator": "OR",
                "criterions": [
                  {
                    "type": "version",
                    "version": {
                      "vulnerable": true,
                      "fix_status": {
                        "class": "unfixed",
                        "vendor": "Out of support scope"
                      },
                      "package": {
                        "type": "source",
                        "source": {
                          "name": "thunderbird"
                        }
                      }
                    }
                  }
                ]
              },
              "tag": "37f3937f-8123-7add-abf7-cf9f6a1e892e"
            },
            {
              "criteria": {
                "operator": "OR",
                "criterions": [
                  {
                    "type": "version",
                    "version": {
                      "vulnerable": true,
                      "fix_status": {
                        "class": "unfixed",
                        "vendor": "Affected"
                      },
                      "package": {
                        "type": "source",
                        "source": {
                          "name": "firefox"
                        }
                      }
                    }
                  }
                ]
              },
              "tag": "ea4d92b2-f08d-8201-dfcc-1897ad44b77a"
            }
          ]
        }
      }
    },
    {
      "ecosystem": "redhat:8",
      "contents": {
        "CVE-2025-4091": {
          "redhat-vex": [
            {
              "criteria": {
                "operator": "OR",
                "criterions": [
                  {
                    "type": "version",
                    "version": {
                      "vulnerable": true,
                      "fix_status": {
                        "class": "unfixed",
                        "vendor": "Affected"
                      },
                      "package": {
                        "type": "source",
                        "source": {
                          "name": "firefox"
                        }
                      }
                    }
                  },
                  {
                    "type": "version",
                    "version": {
                      "vulnerable": true,
                      "fix_status": {
                        "class": "unfixed",
                        "vendor": "Affected"
                      },
                      "package": {
                        "type": "source",
                        "source": {
                          "name": "thunderbird"
                        }
                      }
                    }
                  }
                ]
              },
              "tag": "bcdf4563-7820-d6f7-381f-ef342a1f9ce1"
            }
          ]
        }
      }
    },
    {
      "ecosystem": "redhat:9",
      "contents": {
        "CVE-2025-4091": {
          "redhat-vex": [
            {
              "criteria": {
                "operator": "OR",
                "criterions": [
                  {
                    "type": "version",
                    "version": {
                      "vulnerable": true,
                      "fix_status": {
                        "class": "unfixed",
                        "vendor": "Affected"
                      },
                      "package": {
                        "type": "source",
                        "source": {
                          "name": "firefox"
                        }
                      }
                    }
                  },
                  {
                    "type": "version",
                    "version": {
                      "vulnerable": true,
                      "fix_status": {
                        "class": "unfixed",
                        "vendor": "Affected"
                      },
                      "package": {
                        "type": "source",
                        "source": {
                          "name": "thunderbird"
                        }
                      }
                    }
                  }
                ]
              },
              "tag": "280a9a2e-4522-b000-14a0-463d5bdecfdc"
            }
          ]
        }
      }
    }
  ],
  "data_sources": [
    {
      "id": "mitre-v5",
      "name": "MITRE CVE v5",
      "raw": [
        {
          "url": "https://github.com/vulsio/vuls-data-raw-mitre-v5",
          "commit": "bac9f8a9db47417b8416940ebefaec0fd2a2929e",
          "date": "2025-05-01T02:19:40Z"
        }
      ],
      "extracted": {
        "url": "https://github.com/vulsio/vuls-data-extracted-mitre-v5"
      }
    },
    {
      "id": "redhat-vex",
      "name": "RedHat Enterprise Linux VEX",
      "raw": [
        {
          "url": "file:///home/runner/work/vuls-data-db/vuls-data-db/latest/vuls-data-raw-redhat-vex.tmp",
          "commit": "bbb06d8e3b77d552e680705f504c966cb0fc6eb2",
          "date": "2025-04-30T13:35:49Z"
        },
        {
          "url": "https://github.com/vulsio/vuls-data-raw-redhat-repository-to-cpe",
          "commit": "c4c0e914f8bbd6922d6e788db9cdce36b0ef34af",
          "date": "2025-04-30T02:00:14Z"
        }
      ],
      "extracted": {
        "url": "https://github.com/vulsio/vuls-data-extracted-redhat-vex"
      }
    }
  ]
}

もちろん、vulsでの脆弱性検知に作成したvuls.dbを使うこともできます。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
 
$ cat config.toml
...
[vuls2]
Path = "/path/to/vuls.db"
SkipUpdate = true # 作成したDBが更新されないために
...

# future-architect/vulsをvuls0とする
$ curl -sL https://github.com/future-architect/vuls/releases/download/v0.30.0/vuls_0.30.0_linux_amd64.tar.gz | tar zxf - vuls
$ mv vuls vuls0

# 検知に使うredhatのデータを用意する
$ curl -s --create-dirs --output results/2025-05-01T12-55-56+0900/rhel_90.json https://raw.githubusercontent.com/vulsio/integration/refs/heads/main/data/results/rhel_90.json

$ ./vuls0 report 2025-05-01T12-55-56+0900
[May  1 12:56:08]  INFO [localhost] vuls-0.30.0-358cbf59b8480330cebed319dee1bfc4c5704c7e-2025-03-18T06:42:29Z
...
[May  1 12:59:09]  INFO [localhost] rhel_90: 3429 CVEs are detected with vuls2
...

さて、ここでvulsio/vuls-db-templateを紹介しようと思います。
GitHub Actionsで定期的にvuls.dbを作成して、作成したvuls.dbを自身のPackagesに公開するまでを、このテンプレートリポジトリを利用することで簡単に行えます。
先程、手動で作ったvuls.dbも、vuls-db-templateを利用することによって、次のようにGNUMakefileを変更するだけで、GitHub Actionsがvuls.dbを作成してくれます。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
 
:100644 100644 5eb2622 0000000 M	GNUMakefile

diff --git a/GNUMakefile b/GNUMakefile
index 5eb2622..de9b266 100644
--- a/GNUMakefile
+++ b/GNUMakefile
@@ -6,9 +6,8 @@ DBPATH := ~/.cache/vuls/vuls.db
 .PHONY: db-build
 db-build:
 	vuls db init --dbtype ${DBTYPE} --dbpath ${DBPATH}
-	$(MAKE) -f ${MAKEFILE} db-add REPO=vuls-data-extracted-alma-errata BRANCH=${BRANCH} DBTYPE=${DBTYPE} DBPATH=${DBPATH}
-	$(MAKE) -f ${MAKEFILE} db-add REPO=vuls-data-extracted-redhat-vex-rhel BRANCH=${BRANCH} DBTYPE=${DBTYPE} DBPATH=${DBPATH}
-	$(MAKE) -f ${MAKEFILE} db-add REPO=vuls-data-extracted-rocky-errata BRANCH=${BRANCH} DBTYPE=${DBTYPE} DBPATH=${DBPATH}
+	$(MAKE) -f ${MAKEFILE} db-add REPO=vuls-data-extracted-redhat-vex BRANCH=${BRANCH} DBTYPE=${DBTYPE} DBPATH=${DBPATH}
+	$(MAKE) -f ${MAKEFILE} db-add REPO=vuls-data-extracted-mitre-v5 BRANCH=${BRANCH} DBTYPE=${DBTYPE} DBPATH=${DBPATH}
 
 .PHONY: db-add
 db-add:

提供されているデータソースの確認方法は次のとおりです。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
 
$ gh api --paginate /orgs/vulsio/packages/container/vuls-data-db/versions --jq '.[] | select(.metadata.container.tags[] | startswith("vuls-data-extracted-")) | .metadata.container.tags[]'
vuls-data-extracted-redhat-vex-rhel
vuls-data-extracted-redhat-csaf-rhel
vuls-data-extracted-redhat-ovalv2
vuls-data-extracted-redhat-vex
vuls-data-extracted-redhat-csaf
vuls-data-extracted-redhat-ovalv1
vuls-data-extracted-redhat-ovalv2-rhel
vuls-data-extracted-nvd-api-cve
vuls-data-extracted-mitre-v5
vuls-data-extracted-epss
vuls-data-extracted-arch
vuls-data-extracted-amazon
vuls-data-extracted-alma-osv
vuls-data-extracted-alma-errata
vuls-data-extracted-oracle
vuls-data-extracted-alpine-secdb
vuls-data-extracted-alpine-osv
vuls-data-extracted-freebsd
vuls-data-extracted-kev
vuls-data-extracted-rocky-errata

もしくは、こちらから探すこともできます。
https://github.com/vulsio/vuls-data-db/pkgs/container/vuls-data-db/versions

ユースケース紹介

これまで、vulsやvuls-data-updateを使う方法、またはvuls-db-templateを利用する方法という2つのvuls.dbの作り方を紹介しました。
これから、あなただけのvuls.dbを作るべきユースケースを3つ紹介します。

1. オフィシャルで採用されていないデータソースを使いたい

次の記事によると、RedHatは、OVALに代わるフォーマットとしてCSAF、VEXを採用し、2024年末に廃止予定でした。
OVALは2024年末に廃止はされなかったものの、RHEL 10といった将来のメジャーリリース向けのデータは提供されないようです。

よって、vulsはRedHatに対するデフォルトのデータソースをOVALからVEXに変更しました。

https://github.com/vulsio/vuls-data-db/commit/45b078f8888a81b82851d61285cf1663c68c1284

フォーマットの変更により、未修正の脆弱性に紐付くパッケージが、binary packageからsource packageに変更されています。
よって、スキャナが古い場合など、スキャン対象のsource packageが収集できていない場合、オフィシャルなvuls.dbでは、未修正な脆弱性を検知できなくなります。
そこで、OVALが入ったvuls.dbを作成・利用することで、この問題を一時的に回避できます。

2. オフィシャルなvuls.dbに必要のないデータソースがある

オフィシャルで配布するvuls.dbは、ユーザがどんな対象をスキャンするかわからないため、vulsでサポートする対象のデータソースをすべて追加する予定です。
goval-dictionaryやgostでは、必要な分だけDBに追加することができました。
もし、自分たちの環境に必要なデータソースだけを含むvuls.dbが必要であれば、紹介した方法でvuls.dbを作成してください。

3. 自前で持っているデータソースをvuls.dbに追加したい

vuls.dbでは、goval-dictionaryやgostなどと異なり、ユーザ自身が持っているデータソースを追加できるように考えています。

例えば、次のようにデータを用意します。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
 
$ tree vuls-data-extracted-test/
vuls-data-extracted-test/
├── data
│   └── 2025
│       └── TEST-2025-0001.json
└── datasource.json

2 directories, 2 files

$ cat vuls-data-extracted-test/datasource.json 
{
	"id": "test",
	"name": "test data for blog"
}

$ cat vuls-data-extracted-test/data/2025/TEST-2025-0001.json 
{
    "id": "TEST-2025-0001",
    "advisories": [
        {
            "content": {
                "id": "TEST-2025-0001",
                "description": "This is a test advisory.",
                "severity": [
                    {
                        "type": "vendor",
                        "source": "test",
                        "vendor": "Important"
                    }
                ],
                "published": "2025-05-01T15:00:00Z"
            },
            "segments": [
                {
                    "ecosystem": "redhat:9",
                    "tag": "test"
                }
            ]
        }
    ],
    "vulnerabilities": [
        {
            "content": {
                "id": "TMP-2025-0001",
                "description": "This is a test vulnerability.",
                "severity": [
                    {
                        "type": "cvss_v31",
                        "source": "test",
                        "cvss_v31": {
                            "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
                            "base_score": 10,
                            "base_severity": "CRITICAL",
                            "temporal_score": 10,
                            "temporal_severity": "CRITICAL",
                            "environmental_score": 10,
                            "environmental_severity": "CRITICAL"
                        }
                    }
                ],
                "published": "2025-05-01T15:00:00Z"
            },
            "segments": [
                {
                    "ecosystem": "redhat:9",
                    "tag": "test"
                }
            ]
        }
    ],
    "detections": [
        {
            "ecosystem": "redhat:9",
            "conditions": [
                {
                    "criteria": {
                        "operator": "OR",
                        "criterions": [
                            {
                                "type": "version",
                                "version": {
                                    "vulnerable": true,
                                    "fix_status": {
                                        "class": "unfixed",
                                        "vendor": "Affected"
                                    },
                                    "package": {
                                        "type": "source",
                                        "source": {
                                            "name": "kernel"
                                        }
                                    }
                                }
                            }
                        ]
                    },
                    "tag": "test"
                }
            ]
        }
    ],
    "data_source": {
        "id": "test"
    }
}

そして、用意したデータをvuls.dbに追加して、TMP-2025-0001を検索してみます。
すると、検索結果に自分が用意したデータの内容が追加されていることがわかります。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
 
$ vuls db add --dbpath vuls.db vuls-data-extracted-test
2025/05/01 15:19:53 INFO Get Metadata
2025/05/01 15:19:53 INFO Put Vulnerability Data
2025/05/01 15:19:53 INFO Put DataSource
2025/05/01 15:19:53 INFO Put Metadata

$ vuls db search data vulnerability --dbpath vuls.db TMP-2025-0001
2025/05/01 15:23:26 INFO Get Metadata
2025/05/01 15:23:26 INFO Get Vulnerability Data "vulnerability id"=TMP-2025-0001
{
  "id": "TMP-2025-0001",
  "advisories": [
    {
      "id": "TEST-2025-0001",
      "contents": {
        "test": {
          "TEST-2025-0001": [
            {
              "content": {
                "id": "TEST-2025-0001",
                "description": "This is a test advisory.",
                "severity": [
                  {
                    "type": "vendor",
                    "source": "test",
                    "vendor": "Important"
                  }
                ],
                "published": "2025-05-01T15:00:00Z"
              },
              "segments": [
                {
                  "ecosystem": "redhat:9",
                  "tag": "test"
                }
              ]
            }
          ]
        }
      }
    }
  ],
  "vulnerabilities": [
    {
      "id": "TMP-2025-0001",
      "contents": {
        "test": {
          "TEST-2025-0001": [
            {
              "content": {
                "id": "TMP-2025-0001",
                "description": "This is a test vulnerability.",
                "severity": [
                  {
                    "type": "cvss_v31",
                    "source": "test",
                    "cvss_v31": {
                      "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
                      "base_score": 10,
                      "base_severity": "CRITICAL",
                      "temporal_score": 10,
                      "temporal_severity": "CRITICAL",
                      "environmental_score": 10,
                      "environmental_severity": "CRITICAL"
                    }
                  }
                ],
                "published": "2025-05-01T15:00:00Z"
              },
              "segments": [
                {
                  "ecosystem": "redhat:9",
                  "tag": "test"
                }
              ]
            }
          ]
        }
      }
    }
  ],
  "detections": [
    {
      "ecosystem": "redhat:9",
      "contents": {
        "TEST-2025-0001": {
          "test": [
            {
              "criteria": {
                "operator": "OR",
                "criterions": [
                  {
                    "type": "version",
                    "version": {
                      "vulnerable": true,
                      "fix_status": {
                        "class": "unfixed",
                        "vendor": "Affected"
                      },
                      "package": {
                        "type": "source",
                        "source": {
                          "name": "kernel"
                        }
                      }
                    }
                  }
                ]
              },
              "tag": "test"
            }
          ]
        }
      }
    }
  ],
  "data_sources": [
    {
      "id": "test",
      "name": "test data for blog"
    }
  ]
}

もちろん、検知条件を設定しているため、vulsでの検知も可能です。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
 
$ ./vuls0 report --refresh-cve 2025-05-01T12-55-56+0900
[May  1 15:20:07]  INFO [localhost] vuls-0.30.0-358cbf59b8480330cebed319dee1bfc4c5704c7e-2025-03-18T06:42:29Z
...
[May  1 15:21:22]  INFO [localhost] rhel_90: 3430 CVEs are detected with vuls2
...
rhel_90 (redhat9.0)
===================
Total: 3430 (Critical:6 High:519 Medium:2776 Low:117 ?:12)
1536/3430 Fixed, 0 poc, 0 exploits, 0 kevs, uscert: 0, jpcert: 0 alerts
496 installed

+------------------+------+--------+-----+-----+-----------+---------+----------------------------------------+
|      CVE-ID      | CVSS | ATTACK | POC | KEV |   ALERT   |  FIXED  |                PACKAGES                |
+------------------+------+--------+-----+-----+-----------+---------+----------------------------------------+
| TMP-2025-0001    | 10.0 |  AV:N  |     |     |           | unfixed | kernel, kernel-core,                   |
|                  |      |        |     |     |           |         | kernel-devel, kernel-headers,          |
|                  |      |        |     |     |           |         | kernel-modules, kernel-tools,          |
|                  |      |        |     |     |           |         | kernel-tools-libs,                     |
|                  |      |        |     |     |           |         | python3-perf                           |
+------------------+------+--------+-----+-----+-----------+---------+----------------------------------------+
...

おわりに

今回、vuls.dbの作り方とユースケースについて紹介しました。
vuls.dbを使いこなして、脆弱性管理に活用していただければ幸いです。

issueやpull requestも歓迎しております!

目次

カテゴリー