2020-05-17: Vulnerable versions reporting launched in beta mode
Project versions which may be affected by known CVEs are marked as such in project list
and project pages (example).
Counters of potentially vulnerable packages/projects available for repositories
and maintainers (example) are available.
List of known CVEs for each project is available (example).
Filtering based on potentially vulnerable status is available in projects list
(example).
CPE related problems are reported for repositories which provide CPE information
(currently Gentoo family and Ravenports).
Possible shortcomings:
CPE information needed to match CVEs and projects may be missing for most of the latter. We rely on
repositories providing CPE information (currently Gentoo family and Ravenports) and manual bindings,
but both are currently far from being complete. This is going to gradually improve, feel free to submit
reports/issues on missing CVE information.
Repology currently has no way to know that a certain vulnerability was patched in some repository,
so even if that's so, version will still be marked as "potentially vulnerable". If you're interested
in fixed this, see related Issue.
Both false positives and false negatives are possible for a lot of other reasons, including incorrect
data in National Vulnerability Database itself. See more related
issues on general improvements
and individual cases. However,
total number of errors is quite low and is going to improve further too.