Skip to content
Latchkey

What Is a Vulnerability Database? The Index Scanners Rely On

A vulnerability database is a structured catalog of known security flaws, the software versions they affect, and how serious they are, that scanners query to find risk.

A scanner is only as good as the data behind it. A vulnerability database is that data: a continuously updated catalog mapping known flaws (by CVE and other IDs) to the exact packages and version ranges they affect. When your scanner says "this library is vulnerable," it is matching your dependencies against one of these databases.

What a record contains

  • A vulnerability identifier (often a CVE).
  • The affected package and version ranges.
  • A severity score and description.
  • References, fixes, and the patched version.

Major databases

The National Vulnerability Database (NVD), the GitHub Advisory Database, and the OSV (Open Source Vulnerabilities) database are widely used. Ecosystem-specific feeds (for npm, Python, etc.) add precise package data, and commercial scanners often blend several sources.

Why freshness matters

New vulnerabilities are disclosed daily. A scanner using a stale database will miss recent flaws. Good scanning pulls fresh data regularly, which is why re-scanning yesterday's clean image can surface new findings today.

How matching works

The scanner builds an inventory of your components and versions, then queries the database for any record whose affected range includes what you have. A precise match avoids both false negatives (missed flaws) and false positives (irrelevant alerts).

In the pipeline

Dependency and container scanners in CI consult these databases on every run. Combined with an SBOM, the database lets you answer "are we affected by this new disclosure?" across all your builds quickly and confidently.

Key takeaways

  • A vulnerability database maps known flaws to affected packages and versions.
  • NVD, the GitHub Advisory Database, and OSV are major sources.
  • Fresh data is essential; scanners match your components against it on every run.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →