Data Sources
ScanRook queries multiple vulnerability databases during enrichment. This page lists every data source, its ecosystem coverage, integration status, and implementation notes.
Status legend
ReadyPartialPlanned
Ready -- fully integrated and active in production scans.
Partial -- integrated with known limitations or incomplete coverage.
Planned -- on the roadmap but not yet implemented.
Provider table
| Data Source | Provider | Ecosystems | Status | Notes |
|---|---|---|---|---|
| Open Source Vulnerabilities API | osv | .NET, Go, Java, JavaScript, Python, Ruby, Rust, DPKG, APK, RPM | Ready | Primary enrichment source. Batch API queries packages by ecosystem/name/version. Broadest ecosystem coverage. Response caching via file + PostgreSQL + Redis. |
| National Vulnerability Database | nvd | CVE-backed cross-ecosystem | Ready | Second-pass enrichment. Adds CVSS v3.1 scores, CPE-based matching for binaries and generic packages. Rate-limited without NVD_API_KEY. |
| Red Hat Security Data API | redhat | RPM (RHEL family) | Ready | Per-CVE fix status for RPM packages in RHEL, CentOS Stream. Returns errata IDs, fix state, and fixed-in versions. |
| Red Hat OVAL XML (user supplied) | redhat_oval | RPM (RHEL family) | Ready | Offline OVAL-based checking. User supplies XML file via --oval-redhat flag. Checks affected packages against OVAL definitions. |
| Ubuntu CVE Tracker | ubuntu | DPKG | Ready | Auto-activated when Ubuntu is detected in container images. Provides fix status per Ubuntu release (focal, jammy, noble). |
| Debian Security Tracker | debian | DPKG | Ready | Auto-activated when Debian is detected. Maps CVEs to package versions with fix status and urgency ratings. |
| Alpine SecDB | alpine | APK | Ready | Auto-activated when Alpine is detected. Maps CVEs to APK package versions with fix status per Alpine release. |
| AlmaLinux OSV Database | alma | RPM | Ready | AlmaLinux advisory data via OSV format. Provides RHEL-compatible fix status for AlmaLinux deployments. |
| Amazon Linux Security Center | amazon | RPM | Ready | ALAS (Amazon Linux Security Advisories). Provides fix status for Amazon Linux 2 and 2023 RPM packages. |
| SUSE Security OVAL | sles | RPM | Planned | SUSE/openSUSE OVAL data. Will provide fix status for SLES and openSUSE RPM packages. |
| Oracle Linux Security | oracle | RPM | Ready | Oracle Linux Security Advisories (ELSA). Provides fix status for Oracle Linux RPM packages. |
| Chainguard Security | chainguard | APK | Ready | Chainguard-specific security data for distroless/Chainguard OS APK packages. |
| Wolfi Security | wolfi | APK | Ready | Wolfi OS security data. Provides fix status for Wolfi APK packages used in distroless containers. |
| EPSS (Exploit Prediction Scoring) | epss | Cross-ecosystem | Ready | FIRST's exploit probability model. Adds a 0–1 probability score to each CVE indicating real-world exploit likelihood. |
| CISA KEV (Known Exploited Vulnerabilities) | kev | Cross-ecosystem | Ready | CISA's catalog of actively exploited vulnerabilities. Flags findings that are confirmed exploited in the wild. |
Ecosystem coverage
The combination of OSV, NVD, and distro-specific feeds gives ScanRook coverage across the following package ecosystems:
RPM
RHEL, CentOS, Fedora, AlmaLinux, Oracle, Amazon, SUSE (planned)
DPKG
Debian, Ubuntu
APK
Alpine, Chainguard, Wolfi
npm
Node.js packages via package-lock.json
PyPI
Python packages via requirements.txt, Pipfile.lock
Go
Go modules via go.sum, binary build info
Cargo
Rust crates via Cargo.lock
Maven
Java packages via pom.xml
NuGet
.NET packages via packages.config, .csproj
RubyGems
Ruby gems via Gemfile.lock