a.x61.sh

Vulnerability-Lookup 3.0.0 (www.vulnerability-lookup.org)
from cedric@lemmy.ml to security@lemmy.ml on 02 Feb 22:34
https://lemmy.ml/post/42598082

We are glad to announce Vulnerability-Lookup 3.0.0. Our second release of 2026 is a major milestone, featuring GCVE-BCP-07 support. Now, every Vulnerability-Lookup instance can publish its own KEV catalog while integrating KEV feeds from CISA and ENISA.

Let’s take a look at all the notable changes.

What’s New

GCVE-BCP-07: Known Exploited Vulnerabilities (KEV) Catalogs Integration

This release implements support for GCVE-BCP-07, enabling seamless integration with multiple Known Exploited Vulnerabilities (KEV) catalogs from different Global Numbering Authorities (GNAs). PR #310

Out of the box, any Vulnerability-Lookup instance can publish its own GCVE-BCP-07–compliant KEV catalog and consume KEV catalogs from ENISA and CISA. Conversion and synchronization are performed using the following tool: github.com/gcve-eu/gcve-eu-kev

A huge thank you to CISA and ENISA for their continuous work and for making KEV data available. Their catalogs are key building blocks for effective vulnerability prioritization, and it’s great to see them fit naturally into a GCVE-aligned workflow.

New and updated tools

CISA KEV and ENISA CNW EUVD to GCVE-BCP-07 Converter: github.com/gcve-eu/gcve-eu-kev
```
$ gcve-from-cisa --push
$ gcve-from-enisa --push
```

BCP Validator: github.com/gcve-eu/bcp-validator

$ python gcve_bcp05_validate.py --url https://vulnerability.circl.lu/api/vulnerability?source=gna-1
OK: https://vulnerability.circl.lu/api/vulnerability/recent?source=gna-1

GCVE Python client: github.com/gcve-eu/gcve

$ gcve references --list
{
  "kev": [
      {
      "uuid": "405284c2-e461-4670-8979-7fd2c9755a60",
      "short_name": "CISA KEV",
      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
      "automation_url": "https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json",
      "description": "For the benefit of the cybersecurity community and network defenders\u2014and to help every organization better manage vulnerabilities and keep pace with threat activity\u2014CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild. Organizations should use the KEV catalog as an input to their vulnerability management prioritization framework."
      },
      {
      "uuid": "1a89b78e-f703-45f3-bb86-59eb712668bd",
      "short_name": "CIRCL",
      "gcve_gna_id": 1,
      "description": "CIRCL provides a known-exploited vulnerability and supporting the different status_reason described in GCVE BCP-07."
      },
      {
      "uuid": "cce329bf-df49-4c6e-a027-80be2e6483bd",
      "short_name": "EUVD KEV",
      "gcve_gna_id": 2,
      "automation_url": "https://github.com/enisaeu/CNW/raw/refs/heads/main/kev.csv",
      "description": "ENISA via the CSIRTs network provides list of known-exploited seen in the CSIRTs network."
      }
  ]
}

New Vulnerability Sources

new: [feeders] OSV importer for Drupal security advisories. Imports vulnerabilities from the Drupal security team’s OSV feed. 14177ab
new: [feeders] OSV importer for CleanStart security advisories. Imports vulnerabilities from CleanStart’s OSV feed. 14177ab
new: [feeders] Bitnami Vulnerability Database importer. Imports vulnerabilities from Bitnami’s OSV-formatted vulnerability database, covering their application catalog. 165e99d

Changes

chg: [gcve] Updated GCVE Python client with improved type hints and bug fixes. 78dbfc1 5ddf74d
chg: [gcve] KEV catalog menu now handles production instances that have their own GNA ID. When a local instance (e.g., CIRCL - GNA-1) exists in the GCVE KEV catalog list, it’s marked as local without creating duplicates. 2bba2d8
chg: [api] Extended x_gcve injection to all vulnerability list endpoints: VulnerabilitiesList, Recent, Last, and LastLegacy. This ensures consistent GCVE integration across all API endpoints. 227da00
Various graphical improvements.

Fixes

fix: [gcve] Resolved circular import in gcve_utils module. e7aa364
‘Ghost CVEs’ toggle is wonky #303
Fix CVSS 4.0 parsing crash in web filters #304
Fix blacklist bypass vulnerability in username validation #314
Support YYYYMMDD date format in API since parameter #315

Changelog

For the full list of changes, check the GitHub release:
v3.0.0 Release Notes

Thank you to all our contributors and testers!

Feedback and Support

If you encounter any issues or have suggestions, please open a ticket on our GitHub repository:
GitHub Issues

Follow Us on the Fediverse

Stay updated on security advisories in real-time by following us on Mastodon:
@vulnerability_lookup

#security

threaded - newest

Tiger@sh.itjust.works on 02 Feb 22:45 collapse

Very cool!

cedric@lemmy.ml on 02 Feb 22:59 collapse

thank you!