I want to know since when a specific Finding (in my case axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL · CVE-2025-27152 · GitHub Advisory Database · GitHub) has been added to the grype database. Not when it has been added to ghsa or the cve database. What would be the best way to determine this?
Hey @henrysachs – there is a grype db search command that can provide more information. I think we’re still working on getting all the providers updated to capture this information, though. You may want to follow: Track date timestamps in vulnerability data · Issue #742 · anchore/vunnel · GitHub
Hey @kzantow yeah i was using this already but it contains information when the findings has been published, but i am missing the information when it has been added to the grype database. Or can I assume that between publish in e.g. the GHSA database and the update of the grype database are only a small fraction of minutes/hours?
We run data updates once per day and publish a new database afterwards, so you can assume a new vulnerability will be available within 24 hours in the Grype DB. We do not track the exact DB a vulnerability was introduced at this point, but it would take some sort of outage (like GitHub being inaccessible or NVD problems) to prevent the normal behavior where a vulnerability takes > 24 hours to appear in the DB.
Thanks for the clarification. It would still be cool to have this date when it has been added but for now i will just assume that a vulnerability will be added to the database after less than 24 hours. 