Sonatype Vulnerability Data

Sonatype creates its data using a proprietary, automated vulnerability detection system that monitors, aggregates, correlates, and incorporates machine learning from publicly available information. We gather data from various sources including the National Vulnerability Database, website security advisories, email lists, GitHub events from all open-source projects, blogs, OWASP, OSS Index, Twitter, and customer reports. We have evaluated many paid-for services and have found the quality and precision of the data to be of limited value, driving our decision to build an intelligent, automated vulnerability detection system. The Sonatype Data Research team is not in the business of simply aggregating public security-related feeds — we create the precise data we use.

For example, Sonatype, like other SCA vendors, pulls data from a variety of sources, including:

  • National Vulnerability Database
  • Various public vulnerability feeds
  • Proprietary vulnerability feeds (ex: identifying vulnerabilities in open source code stored in code management platforms such as GitHub)

Unfortunately, not all security data is created equal and some data from the above sources, specifically the NVD and public feeds, is incomplete. Many times the “incomplete” data is missing vulnerabilities, and automation is not sufficient to identify this missing information. As a result, this data must be highly curated by Sonatype’s research teams to fill in the gaps and improve accuracy.

Other related topics:

Data Quality of Sonatype Vulnerabilty Data

Working With Vulerability Data