Transilience is announcing the availability of richest set of vulnerability data over the API for usage for developers who can use them in their CI/CD pipelines or for vendors who want to augment their vulnerability data.
What is the problem with existing vulnerability data ?
We all have heard complaints about the vulnerability data from NVD is not useful for prioritization. There are two main issues with understanding and prioritizing vulnerabilities :
- Lack of structured information around true impact of vulnerabilities
- Lack of structured information around vendor and product specific details of vulnerabilities
Lack of information around true impact of vulnerabilities
The current NVD does not capture true impact of CVEs, both breadth and depth. The CIA rating does not capture the true nature of the impact and the severity of CIA is rated HIGH for majority of CVES
We are capturing about 75 different attributes of impact of CVEs, such as
- Confidentiality
- Ingegrity
- Availability
Lack of structured information around vendor and product specific details
Vendor advisory pages have lot more specificity around
- which products are vulnerable or not vulnerable
- pre-requisites for exploitation of a vulnerability
- workarounds for vulnerabilities
- exploit steps , detection steps etc
Transilience captures around 50+ details of vendor information
Both the impact and vendor details information is available for you over the API.
How to use ?
The API is documented at https://vulns.transilienceapi.com/docs
Step 1 - create the API key with a valid email
Step 2 - use the API
What are the APIs ?
- Get basic information of a given set of CVEs. We have included EPSS scores and EPSS percentile information along with the "basic" CVE information from N
- Get detailed information on a CVE. The impact and vendor details are available on this API
- Restrictions
- The APIs are available for free for anyone, as long as they are 20 per minute
- For bulk use of APIs, contact hello@transilience.ai.
Example Usage
Example - Get Impact Details of a CVE
Below is an example of a call to the `cves/cve` endpoint and the details of the impact of the cve.
Python url = f"https://vulns.transilienceapi.com/cves/CVE-2024-13269" headers = { "x-api-key": "efb43e25-86d1-4ebf-b543-xxxxx" } response = requests.request("GET", url, headers=headers) json.loads(response.text)['impact'] {'confidentiality': {'read_application_data': True, 'read_application_data_reason': 'The vulnerability allows sensitive information to be inserted into sent data, which can be read by unauthorized users.', 'read_files_or_directories': False, 'read_files_or_directories_reason': 'No direct access to files or directories is indicated by the vulnerability.', 'read_memory': False, 'read_memory_reason': 'The vulnerability does not imply the ability to read memory.'}, 'integrity': {'modify_application_data': True, 'modify_application_data_reason': 'The vulnerability allows for the modification of application data due to forceful browsing.', 'modify_files_or_directories': False, 'modify_files_or_directories_reason': 'No indication that files or directories can be modified.', 'modify_memory': False, 'modify_memory_reason': 'The vulnerability does not imply the ability to modify memory.', 'unauthorized_code_or_commands': False, 'unauthorized_code_or_commands_reason': 'The vulnerability does not allow for the execution of unauthorized code or commands.', 'alter_execution_logic': False, 'alter_execution_logic_reason': 'No indication that execution logic can be altered.', 'unexpected_state': False, 'unexpected_state_reason': 'The vulnerability does not cause unexpected states.'}, 'availability': {'unreliable_execution': {'crash_exit_or_restart': False, 'crash_exit_or_restart_reason': 'The vulnerability does not cause crashes or restarts.', 'instability': False, 'instability_reason': 'No indication of instability due to this vulnerability.', 'amplification': False, 'amplification_reason': 'The vulnerability does not cause amplification.'}, 'resource_consumption': {'cpu': False, 'cpu_reason': 'No indication of CPU resource consumption.', 'memory': False, 'memory_reason': 'No indication of memory resource consumption.', 'other': '', 'other_reason': ''}, 'quality_degradation': {'reduce_maintainability': False, 'reduce_maintainability_reason': 'No indication that maintainability is reduced.', 'reduce_performance': False, 'reduce_performance_reason': 'No indication that performance is reduced.', 'reduce_reliability': False, 'reduce_reliability_reason': 'No indication that reliability is reduced.', 'other': '', 'other_reason': ''}}, 'access': {'gain_privileges': False, 'gain_privileges_reason': 'The vulnerability does not allow for privilege escalation.', 'bypass_protection': True, 'bypass_protection_reason': 'Forceful browsing indicates the ability to bypass certain protections.'}}
Example - Getting details of vendor advisories over the API
Lets take a look at the SSH vulnerability example, CVE-2024-6387
Number of products mentioned for all the vendors -
Am I vulnerable ? List of products over the API
Example response of a product
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article