Garden Linux Vulnerability Database Rest API

API Endpoints

This document describes the HTTP API endpoints of Garden Linux Vulnerability Database.

This document and the API are work in progress and subject to change at any time.

Get a list of CVEs by distro

To query all CVEs for a given distribution by version, you may use this endpoint:

$ curl 'https://glvd.ingress.glvd.gardnlinux.shoot.canary.k8s-hana.ondemand.com/v1/cves/1592.0?sortBy=cveId&sortOrder=DESC&pageNumber=4&pageSize=2' -i -X GET \
    -H 'Accept: application/json'

For all the endpoints: The sortBy and sortOrder query parameters are optional. If omitted, default sorting will be applied.

The expected response looks like this:

HTTP/1.1 200 OK
Content-Disposition: inline;filename=f.txt
Content-Type: application/json
Transfer-Encoding: chunked
Date: Mon, 25 Nov 2024 08:47:54 GMT
Keep-Alive: timeout=60
Connection: keep-alive
Content-Length: 1129

[ {
  "cveId" : "CVE-2024-6197",
  "sourcePackageName" : "curl",
  "sourcePackageVersion" : "8.8.0-4gardenlinux0",
  "gardenlinuxVersion" : "1592.0",
  "cvePublishedDate" : "2024-07-24T08:15:03.340",
  "baseScore" : 7.5,
  "vectorString" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
  "baseScoreV40" : null,
  "baseScoreV31" : 7.5,
  "baseScoreV30" : null,
  "baseScoreV2" : null,
  "vectorStringV40" : null,
  "vectorStringV31" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
  "vectorStringV30" : null,
  "vectorStringV2" : null,
  "vulnerable" : true
}, {
  "cveId" : "CVE-2024-6119",
  "sourcePackageName" : "openssl",
  "sourcePackageVersion" : "3.2.2-1gardenlinux0",
  "gardenlinuxVersion" : "1592.0",
  "cvePublishedDate" : "2024-09-03T16:15:07.177",
  "baseScore" : 7.5,
  "vectorString" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
  "baseScoreV40" : null,
  "baseScoreV31" : 7.5,
  "baseScoreV30" : null,
  "baseScoreV2" : null,
  "vectorStringV40" : null,
  "vectorStringV31" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
  "vectorStringV30" : null,
  "vectorStringV2" : null,
  "vulnerable" : true
} ]

Get a list of CVEs for packages by distro

This endpoint will give you all the CVE for a list of packages in a specified distro. Note that the package names are comma separated (this might be changed later). You may or may not need to url-encode the commas.

$ curl 'https://glvd.ingress.glvd.gardnlinux.shoot.canary.k8s-hana.ondemand.com/v1/cves/1592.0/packages/crun%2Cvim?pageNumber=4&pageSize=2' -i -X GET \
    -H 'Accept: application/json'

The expected response looks like this:

HTTP/1.1 200 OK
Content-Type: application/json
Transfer-Encoding: chunked
Date: Mon, 25 Nov 2024 08:47:54 GMT
Keep-Alive: timeout=60
Connection: keep-alive
Content-Length: 3

[ ]

Get a list of CVEs for packages by distro via PUT

This endpoint will give you all the CVE for a list of packages in a specified distro. Package names are provided in the request body in json-encoded form.

$ curl 'https://glvd.ingress.glvd.gardnlinux.shoot.canary.k8s-hana.ondemand.com/v1/cves/1592.0/packages?pageNumber=4&pageSize=2' -i -X PUT \
    -H 'Accept: application/json' \
    -H 'Content-Type: application/json' \
    -d '  {
  "packageNames": [
    "vim",
    "bash",
    "python3",
    "curl"
  ]
}'

The expected response looks like this:

HTTP/1.1 200 OK
Content-Type: application/json
Transfer-Encoding: chunked
Date: Mon, 25 Nov 2024 08:47:54 GMT
Keep-Alive: timeout=60
Connection: keep-alive
Content-Length: 1118

[ {
  "cveId" : "CVE-2024-41965",
  "sourcePackageName" : "vim",
  "sourcePackageVersion" : "2:9.1.0496-1+b1",
  "gardenlinuxVersion" : "1592.0",
  "cvePublishedDate" : "2024-08-01T22:15:29.567",
  "baseScore" : 4.2,
  "vectorString" : "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L",
  "baseScoreV40" : null,
  "baseScoreV31" : 4.2,
  "baseScoreV30" : null,
  "baseScoreV2" : null,
  "vectorStringV40" : null,
  "vectorStringV31" : "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L",
  "vectorStringV30" : null,
  "vectorStringV2" : null,
  "vulnerable" : true
}, {
  "cveId" : "CVE-2024-41957",
  "sourcePackageName" : "vim",
  "sourcePackageVersion" : "2:9.1.0496-1+b1",
  "gardenlinuxVersion" : "1592.0",
  "cvePublishedDate" : "2024-08-01T22:15:29.367",
  "baseScore" : 5.3,
  "vectorString" : "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
  "baseScoreV40" : null,
  "baseScoreV31" : 5.3,
  "baseScoreV30" : null,
  "baseScoreV2" : null,
  "vectorStringV40" : null,
  "vectorStringV31" : "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
  "vectorStringV30" : null,
  "vectorStringV2" : null,
  "vulnerable" : true
} ]

Get List of Packages

Just gives you a list of packages in a given distribution.

$ curl 'https://glvd.ingress.glvd.gardnlinux.shoot.canary.k8s-hana.ondemand.com/v1/distro/1592.0?pageNumber=4&pageSize=2' -i -X GET \
    -H 'Accept: application/json'

The expected response looks like this:

HTTP/1.1 200 OK
Content-Disposition: inline;filename=f.txt
Content-Type: application/json
Transfer-Encoding: chunked
Date: Mon, 25 Nov 2024 08:47:54 GMT
Keep-Alive: timeout=60
Connection: keep-alive
Content-Length: 222

[ {
  "sourcePackageName" : "apt",
  "sourcePackageVersion" : "2.9.7",
  "gardenlinuxVersion" : "1592.0"
}, {
  "sourcePackageName" : "arptables",
  "sourcePackageVersion" : "0.0.5-4",
  "gardenlinuxVersion" : "1592.0"
} ]

Get Package With Vulnerabilities

Gives you a list of vulnerabilities for a specific package.

$ curl 'https://glvd.ingress.glvd.gardnlinux.shoot.canary.k8s-hana.ondemand.com/v1/packages/vim?pageNumber=4&pageSize=2' -i -X GET \
    -H 'Accept: application/json'

The expected response looks like this:

HTTP/1.1 200 OK
Content-Type: application/json
Transfer-Encoding: chunked
Date: Mon, 25 Nov 2024 08:47:54 GMT
Keep-Alive: timeout=60
Connection: keep-alive
Content-Length: 1038

[ {
  "cveId" : "CVE-2008-4677",
  "sourcePackageName" : "vim",
  "sourcePackageVersion" : "2:9.1.0016-1",
  "gardenlinuxVersion" : "1443.0",
  "cvePublishedDate" : "2008-10-22T18:00:00.910",
  "baseScore" : 4.3,
  "vectorString" : "AV:N/AC:M/Au:N/C:P/I:N/A:N",
  "baseScoreV40" : null,
  "baseScoreV31" : null,
  "baseScoreV30" : null,
  "baseScoreV2" : 4.3,
  "vectorStringV40" : null,
  "vectorStringV31" : null,
  "vectorStringV30" : null,
  "vectorStringV2" : "AV:N/AC:M/Au:N/C:P/I:N/A:N",
  "vulnerable" : true
}, {
  "cveId" : "CVE-2008-4677",
  "sourcePackageName" : "vim",
  "sourcePackageVersion" : "2:9.1.0016-1",
  "gardenlinuxVersion" : "1443.0",
  "cvePublishedDate" : "2008-10-22T18:00:00.910",
  "baseScore" : 4.3,
  "vectorString" : "AV:N/AC:M/Au:N/C:P/I:N/A:N",
  "baseScoreV40" : null,
  "baseScoreV31" : null,
  "baseScoreV30" : null,
  "baseScoreV2" : 4.3,
  "vectorStringV40" : null,
  "vectorStringV31" : null,
  "vectorStringV30" : null,
  "vectorStringV2" : "AV:N/AC:M/Au:N/C:P/I:N/A:N",
  "vulnerable" : true
} ]

Get Package With Vulnerabilities by Version

Gives you a list of vulnerabilities for a specific package with the specified version.

$ curl 'https://glvd.ingress.glvd.gardnlinux.shoot.canary.k8s-hana.ondemand.com/v1/packages/vim/2%3A9.1.0496-1%2Bb1?pageNumber=4&pageSize=2' -i -X GET \
    -H 'Accept: application/json'

The expected response looks like this:

HTTP/1.1 200 OK
Content-Disposition: inline;filename=f.txt
Content-Type: application/json
Transfer-Encoding: chunked
Date: Mon, 25 Nov 2024 08:47:54 GMT
Keep-Alive: timeout=60
Connection: keep-alive
Content-Length: 1117

[ {
  "cveId" : "CVE-2024-41957",
  "sourcePackageName" : "vim",
  "sourcePackageVersion" : "2:9.1.0496-1+b1",
  "gardenlinuxVersion" : "1592.1",
  "cvePublishedDate" : "2024-08-01T22:15:29.367",
  "baseScore" : 5.3,
  "vectorString" : "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
  "baseScoreV40" : null,
  "baseScoreV31" : 5.3,
  "baseScoreV30" : null,
  "baseScoreV2" : null,
  "vectorStringV40" : null,
  "vectorStringV31" : "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
  "vectorStringV30" : null,
  "vectorStringV2" : null,
  "vulnerable" : true
}, {
  "cveId" : "CVE-2024-41965",
  "sourcePackageName" : "vim",
  "sourcePackageVersion" : "2:9.1.0496-1+b1",
  "gardenlinuxVersion" : "today",
  "cvePublishedDate" : "2024-08-01T22:15:29.567",
  "baseScore" : 4.2,
  "vectorString" : "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L",
  "baseScoreV40" : null,
  "baseScoreV31" : 4.2,
  "baseScoreV30" : null,
  "baseScoreV2" : null,
  "vectorStringV40" : null,
  "vectorStringV31" : "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L",
  "vectorStringV30" : null,
  "vectorStringV2" : null,
  "vulnerable" : true
} ]

Get Packages By Vulnerabilities

Give a list of affected packages by vulnerability

$ curl 'https://glvd.ingress.glvd.gardnlinux.shoot.canary.k8s-hana.ondemand.com/v1/distro/1592.0/CVE-2023-50387' -i -X GET \
    -H 'Accept: application/json'

The expected response looks like this:

HTTP/1.1 200 OK
Content-Type: application/json
Transfer-Encoding: chunked
Date: Mon, 25 Nov 2024 08:47:54 GMT
Keep-Alive: timeout=60
Connection: keep-alive
Content-Length: 3

[ ]