Safeguard
Tag

vulnerability-database

Safeguard articles tagged "vulnerability-database" — guides, analysis, and best practices for software supply chain and application security.

14 articles

Vulnerability Management

NVD's enrichment backlog and how to build a multi-source vuln database strategy

NIST enriched 42,000 CVEs in 2025 — 45% more than any prior year — and still fell behind. On April 15, 2026, it stopped trying to enrich everything.

Jul 8, 20266 min read
Vulnerability Analysis

How Trivy sources vulnerability data (NVD, vendor advisor...

Trivy's CVE data comes from NVD, GHSA, and distro trackers compiled into a periodic snapshot — not kube-hunter. Here's how the pipeline really works, and where it lags.

Apr 27, 20267 min read
Open Source Security

Open Source Vulnerability Database Comparison 2026

Comparing the major open source vulnerability databases in 2026: NVD, OSV, GHSA, GitLab Advisory, and ecosystem-specific feeds measured on coverage and freshness.

Mar 22, 20265 min read
Open Source Security

The OSV Vulnerability Database API Cookbook

Practical patterns for using the OSV.dev API in production: batch queries, schema gotchas, version range parsing, and how to integrate OSV data into your own vulnerability pipelines.

Mar 2, 20265 min read
Vulnerability Analysis

What is a Vulnerability Database

CVE, NVD, OSV, GHSA, KEV — vulnerability databases power every scanner's severity score. Here's how they're built, enriched, and where they fall short.

Jan 20, 20266 min read
Tools

Grype v0.108 Release Notes Walkthrough

Anchore's Grype shipped v0.108.0 in late 2025 with the new vulnerability database v6 schema, distroless support fixes, and a tightened CPE matcher.

Dec 9, 20255 min read
Buyer's Guides

Best CVE tracking and monitoring tools

A field guide to CVE tracking tools -- from NVD and OSV.dev to Snyk, Tenable, and Qualys -- with honest pros, cons, and how Safeguard adds supply-chain context.

Nov 14, 20257 min read
Concepts

What Is a CVE Numbering Authority (CNA)?

A CNA is an organization authorized to assign CVE identifiers to vulnerabilities in its scope. Here is how CNAs work and why they shape how fast a flaw becomes citable.

Nov 11, 20255 min read
Concepts

What Is OSV (Open Source Vulnerabilities)?

OSV is an open, ecosystem-native vulnerability database that expresses affected versions in precise, machine-matchable ranges. Here is how it works and why scanners rely on it.

Oct 21, 20256 min read
Concepts

What Is the NVD (National Vulnerability Database)?

The NVD is the U.S. government's enrichment layer on top of the CVE List, adding CVSS scores, CWE classifications, and affected-configuration data. Here is how it works and where it falls short.

Sep 30, 20256 min read
Vulnerability Analysis

How the Snyk Vulnerability Database sources and verifies ...

A look at how Snyk's Vulnerability Database sources, verifies, and scores new disclosures, from GHSA feeds and silent fixes to CVSS overrides and embargo timing.

Aug 28, 20257 min read
Open Source Security

Why Snyk's vulnerability database often reports issues be...

NVD's CVE enrichment pipeline has a well-documented backlog since 2024. Here's the mechanical reason Snyk's database often shows vulnerabilities weeks earlier.

Aug 28, 20257 min read
vulnerability-database — Safeguard Blog