vulnerability-database
Safeguard articles tagged "vulnerability-database" — guides, analysis, and best practices for software supply chain and application security.
14 articles
NVD's enrichment backlog and how to build a multi-source vuln database strategy
NIST enriched 42,000 CVEs in 2025 — 45% more than any prior year — and still fell behind. On April 15, 2026, it stopped trying to enrich everything.
How Trivy sources vulnerability data (NVD, vendor advisor...
Trivy's CVE data comes from NVD, GHSA, and distro trackers compiled into a periodic snapshot — not kube-hunter. Here's how the pipeline really works, and where it lags.
Open Source Vulnerability Database Comparison 2026
Comparing the major open source vulnerability databases in 2026: NVD, OSV, GHSA, GitLab Advisory, and ecosystem-specific feeds measured on coverage and freshness.
The OSV Vulnerability Database API Cookbook
Practical patterns for using the OSV.dev API in production: batch queries, schema gotchas, version range parsing, and how to integrate OSV data into your own vulnerability pipelines.
What is a Vulnerability Database
CVE, NVD, OSV, GHSA, KEV — vulnerability databases power every scanner's severity score. Here's how they're built, enriched, and where they fall short.
Grype v0.108 Release Notes Walkthrough
Anchore's Grype shipped v0.108.0 in late 2025 with the new vulnerability database v6 schema, distroless support fixes, and a tightened CPE matcher.
Best CVE tracking and monitoring tools
A field guide to CVE tracking tools -- from NVD and OSV.dev to Snyk, Tenable, and Qualys -- with honest pros, cons, and how Safeguard adds supply-chain context.
What Is a CVE Numbering Authority (CNA)?
A CNA is an organization authorized to assign CVE identifiers to vulnerabilities in its scope. Here is how CNAs work and why they shape how fast a flaw becomes citable.
What Is OSV (Open Source Vulnerabilities)?
OSV is an open, ecosystem-native vulnerability database that expresses affected versions in precise, machine-matchable ranges. Here is how it works and why scanners rely on it.
What Is the NVD (National Vulnerability Database)?
The NVD is the U.S. government's enrichment layer on top of the CVE List, adding CVSS scores, CWE classifications, and affected-configuration data. Here is how it works and where it falls short.
How the Snyk Vulnerability Database sources and verifies ...
A look at how Snyk's Vulnerability Database sources, verifies, and scores new disclosures, from GHSA feeds and silent fixes to CVSS overrides and embargo timing.
Why Snyk's vulnerability database often reports issues be...
NVD's CVE enrichment pipeline has a well-documented backlog since 2024. Here's the mechanical reason Snyk's database often shows vulnerabilities weeks earlier.