Ecosystem & Patch Intelligence
Ecosystem & Patch Intelligence
The challenge: Every OS, distribution, and language ecosystem publishes patches on different timelines with different identifiers. Tracking fix availability across your dependency tree means checking dozens of advisory feeds manually.
What you get: Patch availability across 30+ distributions and ecosystems, with version-specific fix tracking that maps directly to your dependency tree. Know exactly which version fixes what, everywhere you deploy.
Distribution Security Advisories
| Source | Description | |
|---|---|---|
 | AlmaLinux Advisory (direct) | AlmaLinux OS security advisories. RHEL-compatible enterprise Linux distribution patch intelligence. |
 | AlmaLinux Advisory (OSV) | AlmaLinux advisories surfaced through the OSV schema. |
 | RockyLinux Advisory (OSV) | Rocky Linux security advisories. RHEL-compatible distribution patch data via OSV. |
 | Canonical/Ubuntu Advisory (direct) | Ubuntu Security Notices (USN). Canonical's security advisories for Ubuntu LTS and interim releases. |
 | Canonical/Ubuntu Advisory (OSV) | Ubuntu advisories surfaced through the OSV schema with package-level granularity. |
 | Debian Security Advisories (OSV) | Debian Security Advisories (DSA). Stable release vulnerability fixes and backported patches. |
 | Alpine SecDB (OSV) | Alpine Linux security database. Minimal container-oriented distribution patch tracking. |
 | Alpine (OSV) | Alpine Linux package advisories via OSV with version-specific fix availability. |
 | Chainguard SecDB | Chainguard Images security database (packages.cgr.dev). APK secdb feed for the Chainguard distroless container catalog with per-package fix-version tracking. |
 | Wolfi SecDB | Wolfi OS security database (packages.wolfi.dev). APK secdb feed for the Wolfi container-native undistro with per-package fix-version tracking. |
 | AWS Amazon Linux 1 (EOL) | Amazon Linux 1 security advisories. End-of-life distribution — historical patch data. |
 | AWS Amazon Linux 2 | Amazon Linux 2 security advisories. AWS-optimised distribution patch intelligence. |
 | AWS Amazon Linux 2023 | Amazon Linux 2023 security advisories. Latest AWS distribution with deterministic updates. |
 | Azure Linux (3.0) | Microsoft Azure Linux (formerly CBL-Mariner). Azure-optimised container host OS security data. |
 | Oracle Linux | Oracle Linux Security Advisories (ELSA). RHEL-compatible enterprise distribution patch data. |
 | Photon Security Advisories | VMware Photon OS security advisories. Container-optimised Linux distribution patch tracking. |
 | Arch Linux Issue Tracker | Arch Linux security tracker. Rolling-release distribution vulnerability and fix tracking. |
 | Gentoo Bugzilla Security | Gentoo Linux Security Advisories (GLSA). Source-based distribution vulnerability tracking. |
 | Mageia Advisory | Mageia Linux security advisories. Community distribution patch intelligence. |
 | Android (OSV) | Android Security Bulletins. Monthly security patch level data for the Android ecosystem. |
 | Linux Kernel (OSV) | Linux kernel security advisories. Kernel vulnerability data with affected version ranges. |
Language & Package Ecosystem Advisories
| Source | Description | |
|---|---|---|
 | Bitnami Advisory (direct) | Bitnami (VMWare/Broadcom) application stack security advisories. Pre-packaged application vulnerability data. |
 | Bitnami Advisory (OSV) | Bitnami advisories surfaced through the OSV schema. |
 | Drupal Advisory (direct) | Drupal security advisories. CMS core, contributed modules, and theme vulnerability tracking. |
 | Drupal Advisory (OSV) | Drupal advisories surfaced through the OSV schema. |
 | PyPI Advisory (direct) | Python Package Index security advisories. Python ecosystem vulnerability data. |
 | PyPI Advisory (OSV) | PyPI advisories surfaced through the OSV schema. |
 | Python PSF Database (OSV) | Python Software Foundation Advisory Database. CPython interpreter and standard library security. |
 | RustSec Advisory (direct) | RustSec Advisory Database. Rust crate vulnerability data with cargo audit integration. |
 | RustSec Advisory (OSV) | RustSec advisories surfaced through the OSV schema. |
 | Go Advisory (OSV) | Go vulnerability database. Go module advisories maintained by the Go security team. |
 | Haskell Advisory (direct) | Haskell Security Advisory Database. Hackage package vulnerability tracking. |
 | Haskell Advisory (OSV) | Haskell advisories surfaced through the OSV schema. |
 | OCaml Advisory (direct) | OCaml Security Advisory Database. Opam package vulnerability data. |
 | OCaml Advisory (OSV) | OCaml advisories surfaced through the OSV schema. |
 | OSS-Fuzz Advisory (direct) | Google OSS-Fuzz programme. Continuous fuzzing discoveries for critical open source projects. |
 | OSS-Fuzz Advisory (OSV) | OSS-Fuzz advisories surfaced through the OSV schema. |
 | Gemnasium Advisory (GitLab) | GitLab Advisory Database (formerly Gemnasium). Multi-ecosystem vulnerability data maintained by GitLab. |
 | RConsortium Advisory (OSV) | R Consortium Advisory Database. R language package vulnerability tracking. |
 | Global Security Database (OSV) | Global Security Database (GSD). Community-contributed vulnerability data for broad ecosystem coverage. |
 | crates.io (OSV) | Rust crates.io ecosystem advisories via OSV. Complements RustSec with additional data. |
 | Curl (OSV) | curl/libcurl security advisories. Version-specific vulnerability data for the HTTP client library. |
 | Git (including C/C++) (OSV) | Git project and C/C++ ecosystem advisories via OSV. |
 | GitHub Actions (OSV) | GitHub Actions security advisories. Vulnerability data for Actions marketplace and runner components. |
 | Hex (OSV) | Hex.pm Elixir/Erlang package advisories via OSV. BEAM ecosystem vulnerability data. |
 | Maven (OSV) | Maven Central Java ecosystem advisories via OSV. Java/Kotlin dependency vulnerability data. |
 | npm (OSV) | npm JavaScript ecosystem advisories via OSV. Node.js package vulnerability tracking. |
 | NuGet (OSV) | NuGet .NET ecosystem advisories via OSV. C#/F# package vulnerability data. |
| Packagist (OSV) | Packagist PHP ecosystem advisories via OSV. Composer package vulnerability tracking. |
 | Pub (OSV) | Dart/Flutter Pub ecosystem advisories via OSV. |
 | R (CRAN and Bioconductor) (OSV) | R language packages from CRAN and Bioconductor registries via OSV. |
 | Root (OSV) | Root data analysis framework advisories via OSV. |
 | RubyGems (OSV) | RubyGems ecosystem advisories via OSV. Ruby gem vulnerability data. |
 | SwiftURL (OSV) | Swift package ecosystem advisories via OSV. |
 | End-of-Life | End-of-life tracking for software products. Identifies dependencies running past vendor support dates. |
Package Metadata & Scoring
| Source | Description | |
|---|---|---|
 | deps.dev Packages | Google deps.dev. Package dependency graphs, version metadata, and transitive dependency analysis. |
 | OpenSSF Scorecard | OpenSSF Security Scorecard. Automated security health metrics for open source projects (branch protection, CI/CD, dependency updates). |
 | bpkg | Bash package manager security data. Shell script package vulnerability tracking. |
See the Licensing Appendix for redistribution terms applicable to each source.