AppThreat
diff --git a/‎.github/workflows/pythonapp.yml‎
Lines changed: 9 additions & 6 deletions b/‎.github/workflows/pythonapp.yml‎
Lines changed: 9 additions & 6 deletions
diff --git a/‎.github/workflows/pythonpublish.yml‎
Lines changed: 3 additions & 2 deletions b/‎.github/workflows/pythonpublish.yml‎
Lines changed: 3 additions & 2 deletions
diff --git a/‎INTEGRATION.md‎
Lines changed: 1 addition & 1 deletion b/‎INTEGRATION.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎README.md‎
Lines changed: 4 additions & 4 deletions b/‎README.md‎
Lines changed: 4 additions & 4 deletions
diff --git a/‎data/CVE_Record_Format.json‎
Lines changed: 138 additions & 9 deletions b/‎data/CVE_Record_Format.json‎
Lines changed: 138 additions & 9 deletions
diff --git a/‎packages/mcp-server-vdb/Dockerfile‎
Lines changed: 2 additions & 2 deletions b/‎packages/mcp-server-vdb/Dockerfile‎
Lines changed: 2 additions & 2 deletions
@@ -10,7 +10,7 @@ jobs:
     strategy:
       matrix:
         os: [ubuntu-latest, windows-latest, macos-15]
-        python-version: ['3.10', '3.11', '3.12', '3.13']
+        python-version: ['3.10', '3.11', '3.12', '3.13', '3.14']
       fail-fast: false
     steps:
     - uses: actions/checkout@v4
@@ -50,14 +50,12 @@ jobs:
       run: |
         npm install -g @cyclonedx/cdxgen
         cdxgen -t python -o bom.json . -p --profile research
-        uv sync --all-extras --dev
-        uv run vdb --cache --only-osv
-        uv run vdb --bom bom.json
       if: ${{ matrix.python-version == '3.13' && matrix.os == 'ubuntu-latest' }}
-      env:
-        VDB_TEMP_DIR: ${{ runner.temp }}/vdb-temp
     - name: CLI tests
       run: |
+        uv sync --all-extras --dev
+        uv run vdb --cache --only-osv
+        uv run vdb --bom bom.json
         uv run vdb --search "pkg:maven/org.springframework/spring-core@6.0.13"
         uv run vdb --search "pkg:maven/org.hibernate.orm/hibernate-core@6.2.9.Final"
         uv run vdb --search "pkg:nuget/Microsoft.Data.SqlClient@5.0.1"
@@ -66,4 +64,9 @@ jobs:
         uv run vdb --search "pkg:npm/eslint-config-prettier@9.1.0"
         uv run vdb --search "pkg:npm/eslint-config-prettier@9.1.1"
         uv run vdb --search "pkg:npm/eslint-config-prettier@10.1.7"
+        uv run vdb --search "escape.tech:graphql-armor-max-depth:2.4.0"
+        uv run vdb --search "pkg:npm/%40escape.tech/graphql-armor-max-depth@2.4.0"
       if: ${{ matrix.python-version == '3.13' && matrix.os == 'ubuntu-latest' }}
+      env:
+        VDB_IGNORE_OS: true
+        VDB_TEMP_DIR: ${{ runner.temp }}/vdb-temp
@@ -8,11 +8,11 @@ on:
       - master
       - release/*
     tags:
-      - 'v*' # Push events to matching v*, i.e. v1.0, v20.15.10
+      - 'v*'
   workflow_dispatch:
 
 jobs:
-  deploy:
+  vdb-pypi:
     runs-on: ubuntu-latest
     permissions:
       contents: write
@@ -61,6 +61,7 @@ jobs:
 
   mcp-container:
     runs-on: ubuntu-latest
+    needs: vdb-pypi
     permissions:
       contents: write
       packages: write
 
@@ -11,7 +11,7 @@ When used as a Python library, the only dependency is Python >= 3.10. When using
 The vulnerability database comprises two SQLite database files.
 
 - data.index.vdb6 - A smaller index database optimized for quick purl or cpe string searches and vers-based range comparisons.
-- data.vdb6 - Full CVE source database containing normalized data in CVE 5.1 specification formation and purl prefix.
+- data.vdb6 - Full CVE source database containing normalized data in CVE 5.2 specification formation and purl prefix.
 
 ### cve_index schema
 
 
@@ -10,7 +10,7 @@ A good vulnerability database must have the following properties:
 - Easy to [download](#download-pre-built-database-recommended), [integrate](./INTEGRATION.md), and use
 - Performance
 
-Multiple upstream sources are used by vdb to improve accuracy and reduce false negatives. SQLite database containing data in CVE 5.1 schema format is precompiled and distributed as files via ghcr to simplify download. With automatic purl prefix generation even for git repos, searches on the database can be performed with purl, cpe, or even http git url string. Every row in the database uses an open specification such as CVE 5.0 or Package URL (purl and vers) thus preventing the possibility of vendor lock-in.
+Multiple upstream sources are used by vdb to improve accuracy and reduce false negatives. SQLite database containing data in CVE 5.2 schema format is precompiled and distributed as files via ghcr to simplify download. With automatic purl prefix generation even for git repos, searches on the database can be performed with purl, cpe, or even http git url string. Every row in the database uses an open specification such as CVE 5.2 or Package URL (purl and vers) thus preventing the possibility of vendor lock-in.
 
 ## Vulnerability Data sources
 
@@ -40,7 +40,7 @@ Multiple upstream sources are used by vdb to improve accuracy and reduce false n
 ## Installation
 
 ```shell
-pip install appthreat-vulnerability-db>=6.2.0
+pip install appthreat-vulnerability-db>=6.5.0
 ```
 
 To install vdb with optional dependencies such as `oras` use the `[oras]` or `[all]` dependency group.
@@ -82,7 +82,7 @@ Use any sqlite browser or cli tools to load and query the two databases.
 
 <img src="./docs/index-vdb6.png" alt="index" width="400">
 
-**data.vdb6** - Contains source data in CVE 5.1 format stored as a jsonb blob.
+**data.vdb6** - Contains source data in CVE 5.2 format stored as a jsonb blob.
 
 <img src="./docs/vdb6.png" alt="database" width="400">
 
@@ -92,7 +92,7 @@ Using [ORAS cli](https://oras.land/) might be slightly faster.
 
 ```
 export VDB_HOME=$HOME/vdb
-oras pull ghcr.io/appthreat/vdbxz:v6.4.x -o $VDB_HOME
+oras pull ghcr.io/appthreat/vdbxz:v6.5.x -o $VDB_HOME
 tar -xvf *.tar.xz
 rm *.tar.xz
 ```
 
@@ -1,8 +1,9 @@
 {
     "$schema": "http://json-schema.org/draft-07/schema#",
     "type": "object",
+    "$id": "https://cveproject.github.io/cve-schema/schema/CVE_Record_Format.json",
     "title": "CVE JSON record format",
-    "description": "cve-schema specifies the CVE JSON record format. This is the blueprint for a rich set of JSON data that can be submitted by CVE Numbering Authorities (CNAs) and Authorized Data Publishers (ADPs) to describe a CVE Record. Some examples of CVE Record data include CVE ID number, affected product(s), affected version(s), and public references. While those specific items are required when assigning a CVE, there are many other optional data in the schema that can be used to enrich CVE Records for community benefit. Learn more about the CVE program at [the official website](https://cve.mitre.org). This CVE JSON record format is defined using JSON Schema. Learn more about JSON Schema [here](https://json-schema.org/).",
+    "description": "cve-schema specifies the CVE JSON record format. This is the blueprint for a rich set of JSON data that can be submitted by CVE Numbering Authorities (CNAs) and Authorized Data Publishers (ADPs) to describe a CVE Record. Some examples of CVE Record data include CVE ID number, affected product(s), affected version(s), and public references. While those specific items are required when assigning a CVE, there are many other optional data in the schema that can be used to enrich CVE Records for community benefit. Learn more about the CVE program at [the official website](https://www.cve.org). This CVE JSON record format is defined using JSON Schema. Learn more about JSON Schema [here](https://json-schema.org/).",
     "definitions": {
         "uriType": {
             "description": "A universal resource identifier (URI), according to [RFC 3986](https://tools.ietf.org/html/rfc3986).",
@@ -51,8 +52,23 @@
         },
         "cveId": {
             "type": "string",
+            "description":"The official CVE identifier contains the string 'CVE', followed by the year, followed by a 4 to 19 digit number. Note that the year-part of the identifier should indicate either the year the vulnerability was discovered, or the year the CVE ID is published in. CVE IDs must be unique.",
             "pattern": "^CVE-[0-9]{4}-[0-9]{4,19}$"
         },
+        "cpe22and23": {
+            "type": "string",
+            "description":"Common Platform Enumeration (CPE) Name in either 2.2 or 2.3 format",
+            "pattern": "([c][pP][eE]:/[AHOaho]?(:[A-Za-z0-9._\\-~%]*){0,6})|(cpe:2\\.3:[aho*\\-](:(((\\?*|\\*?)([a-zA-Z0-9\\-._]|(\\\\[\\\\*?!\"#$%&'()+,/:;<=>@\\[\\]\\^`{|}~]))+(\\?*|\\*?))|[*\\-])){5}(:(([a-zA-Z]{2,3}(-([a-zA-Z]{2}|[0-9]{3}))?)|[*\\-]))(:(((\\?*|\\*?)([a-zA-Z0-9\\-._]|(\\\\[\\\\*?!\"#$%&'()+,/:;<=>@\\[\\]\\^`{|}~]))+(\\?*|\\*?))|[*\\-])){4})",
+            "minLength": 1,
+            "maxLength": 2048
+        },
+        "cpe23": {
+            "type": "string",
+            "description":"Common Platform Enumeration (CPE) Name in 2.3 format",
+            "pattern": "(cpe:2\\.3:[aho*\\-](:(((\\?*|\\*?)([a-zA-Z0-9\\-._]|(\\\\[\\\\*?!\"#$%&'()+,/:;<=>@\\[\\]\\^`{|}~]))+(\\?*|\\*?))|[*\\-])){5}(:(([a-zA-Z]{2,3}(-([a-zA-Z]{2}|[0-9]{3}))?)|[*\\-]))(:(((\\?*|\\*?)([a-zA-Z0-9\\-._]|(\\\\[\\\\*?!\"#$%&'()+,/:;<=>@\\[\\]\\^`{|}~]))+(\\?*|\\*?))|[*\\-])){4})",
+            "minLength": 1,
+            "maxLength": 2048
+        },
         "orgId": {
             "description": "A UUID for an organization participating in the CVE program. This UUID can be used to lookup the organization record in the user registry service.",
             "$ref": "#/definitions/uuidType"
@@ -106,6 +122,7 @@
                     ]
                 }
             ],
+            "additionalProperties": false,
             "properties": {
                 "vendor": {
                     "type": "string",
@@ -196,15 +213,12 @@
                  },
                 "cpes": {
                     "type": "array",
-                    "description": "Affected products defined by CPE. This is an array of CPE values (vulnerable and not), we use an array so that we can make multiple statements about the same version and they are separate (if we used a JSON object we'd essentially be keying on the CPE name and they would have to overlap). Also, this allows things like cveDataVersion or cveDescription to be applied directly to the product entry. This also allows more complex statements such as \"Product X between versions 10.2 and 10.8\" to be put in a machine-readable format. As well since multiple statements can be used multiple branches of the same product can be defined here.",
+                    "description": "Affected products defined by CPE. This is an array of CPE values (vulnerable and not), we use an array so that we can make multiple statements about the same version and they are separate (if we used a JSON object we'd essentially be keying on the CPE name and they would have to overlap). Also, this allows things like cveDataVersion or cveDescription to be applied directly to the product entry. This also allows more complex statements such as \"Product X between versions 10.2 and 10.8\" to be put in a machine-readable format. As well since multiple statements can be used multiple branches of the same product can be defined here. NOTE: Consider using the newer cpeApplicability block for defining CPE data using the CPE Applicability Language which includes more options for defining CPE Names.",
                     "uniqueItems": true,
                     "items": {
                         "title": "CPE Name",
-                        "type": "string",
                         "description":"Common Platform Enumeration (CPE) Name in either 2.2 or 2.3 format",
-                        "pattern": "([c][pP][eE]:/[AHOaho]?(:[A-Za-z0-9._\\-~%]*){0,6})|(cpe:2\\.3:[aho*\\-](:(((\\?*|\\*?)([a-zA-Z0-9\\-._]|(\\\\[\\\\*?!\"#$%&'()+,/:;<=>@\\[\\]\\^`{|}~]))+(\\?*|\\*?))|[*\\-])){5}(:(([a-zA-Z]{2,3}(-([a-zA-Z]{2}|[0-9]{3}))?)|[*\\-]))(:(((\\?*|\\*?)([a-zA-Z0-9\\-._]|(\\\\[\\\\*?!\"#$%&'()+,/:;<=>@\\[\\]\\^`{|}~]))+(\\?*|\\*?))|[*\\-])){4})",
-                        "minLength": 1,
-                        "maxLength": 2048
+                        "$ref": "#/definitions/cpe22and23"
                     }
                 },
                 "modules": {
@@ -272,7 +286,7 @@
                 },
                 "versions": {
                     "type": "array",
-                    "description": "Set of product versions or version ranges related to the vulnerability. The versions satisfy the CNA Rules [8.1.2 requirement](https://cve.mitre.org/cve/cna/rules.html#section_8-1_cve_entry_information_requirements). Versions or defaultStatus may be omitted, but not both.",
+                    "description": "Set of product versions or version ranges related to the vulnerability. The versions help satisfy the CNA Rules [5.1.3 requirement](https://www.cve.org/ResourcesSupport/AllResources/CNARules#section_5-1_Required_CVE_Record_Content). Versions or defaultStatus may be omitted, but not both.",
                     "minItems": 1,
                     "uniqueItems": true,
                     "items": {
@@ -350,6 +364,28 @@
                         },
                         "additionalProperties": false
                     }
+                },
+                "packageURL": {
+                    "description": "A Package URL, a unified URL specification for identifying packages hosted by known package hosts. The Package URL MUST NOT include a version.",
+                    "$ref": "#/definitions/uriType",
+                    "examples": [
+                        "pkg:bitbucket/birkenfeld/pygments-main",
+                        "pkg:deb/debian/curl?arch=i386&distro=jessie",
+                        "pkg:docker/cassandra",
+                        "pkg:docker/customer/dockerimage?repository_url=gcr.io",
+                        "pkg:gem/jruby-launcher?platform=java",
+                        "pkg:gem/ruby-advisory-db-check",
+                        "pkg:github/package-url/purl-spec",
+                        "pkg:golang/google.golang.org/genproto#googleapis/api/annotations",
+                        "pkg:maven/org.apache.xmlgraphics/batik-anim?packaging=sources",
+                        "pkg:maven/org.apache.xmlgraphics/batik-anim?repository_url=repo.spring.io/release",
+                        "pkg:npm/%40angular/animation",
+                        "pkg:npm/foobar",
+                        "pkg:nuget/EnterpriseLibrary.Common",
+                        "pkg:pypi/django",
+                        "pkg:rpm/fedora/curl?arch=i386&distro=fedora-25",
+                        "pkg:rpm/opensuse/curl?arch=i386&distro=opensuse-tumbleweed"
+                    ]
                 }
             }
         },
@@ -364,7 +400,7 @@
             "description": "The version of the CVE schema used for validating this record. Used to support multiple versions of this format.",
             "type": "string",
             "pattern": "^5\\.(0|[1-9][0-9]*)(\\.(0|[1-9][0-9]*))?$",
-            "default": "5.1.0"
+            "default": "5.2.0"
         },
         "cveMetadataPublished": {
             "description": "This is meta data about the CVE ID such as the CVE ID, who requested it, who assigned it, when it was requested, the current state (PUBLISHED, REJECTED, etc.) and so on.  These fields are controlled by the CVE Services.",
@@ -487,6 +523,87 @@
             "required": ["orgId"],
             "additionalProperties": false
         },
+        "cpeApplicabilityElement": {
+            "description": "Affected products defined using an implementation of the CPE Applicability Language, mostly copied/forked from the NIST NVD CVE API v2.0 schema (optional). An operator property allows AND or OR logic between CPEs or combinations of CPEs. The negate and vulnerable Boolean properties allow CPEs to be inverted and/or defined as vulnerable or not. Multiple version fields are provided for capturing ranges of products when defining a CPE Match String Range. NOTE: When defining a cpeApplicability block, it is recommended that it align with (as much as possible) the product data provided within the affected block.",
+            "properties": {
+                "operator": {
+                    "type": "string",
+                    "enum": [
+                        "AND",
+                        "OR"
+                    ]
+                },
+                "negate": {
+                    "type": "boolean"
+                },
+                "nodes": {
+                    "type": "array",
+                    "items": {
+                        "$ref": "#/definitions/cpe_node"
+                    }
+                }
+            },
+            "required": [
+                "nodes"
+            ]
+        },
+        "cpe_node": {
+            "description": "Defines a CPE configuration node in an applicability statement.",
+            "properties": {
+                "operator": {
+                    "type": "string",
+                    "enum": [
+                        "AND",
+                        "OR"
+                    ]
+                },
+                "negate": {
+                    "type": "boolean"
+                },
+                "cpeMatch": {
+                    "type": "array",
+                    "items": {
+                        "$ref": "#/definitions/cpe_match"
+                    }
+                }
+            },
+            "required": [
+                "operator",
+                "cpeMatch"
+            ]
+        },
+        "cpe_match": {
+            "description": "CPE match string or range",
+            "type": "object",
+            "properties": {
+                "vulnerable": {
+                    "type": "boolean"
+                },
+                "criteria": {
+                    "$ref": "#/definitions/cpe23"
+                },
+                "matchCriteriaId": {
+                    "$ref": "#/definitions/uuidType"
+                },
+                "versionStartExcluding": {
+                    "$ref": "#/definitions/version"
+                },
+                "versionStartIncluding": {
+                    "$ref": "#/definitions/version"
+                },
+                "versionEndExcluding": {
+                    "$ref": "#/definitions/version"
+                },
+                "versionEndIncluding": {
+                    "$ref": "#/definitions/version"
+                }
+            },
+            "required": [
+                "vulnerable",
+                "criteria"
+            ],
+            "additionalProperties": false
+        },
         "cnaPublishedContainer": {
             "description": "An object containing the vulnerability information provided by a CVE Numbering Authority (CNA) for a published CVE ID. There can only be one CNA container per CVE record since there can only be one assigning CNA. The CNA container must include the required information defined in the CVE Rules, which includes a product, version, problem type, prose description, and a reference.",
             "type": "object",
@@ -514,6 +631,12 @@
                 "affected": {
                     "$ref": "#/definitions/affected"
                 },
+                "cpeApplicability": {
+                    "type": "array",
+                    "items": {
+                        "$ref": "#/definitions/cpeApplicabilityElement"
+                    }
+                },
                 "problemTypes": {
                     "$ref": "#/definitions/problemTypes"
                 },
@@ -620,6 +743,12 @@
                 "affected": {
                     "$ref": "#/definitions/affected"
                 },
+                "cpeApplicability": {
+                    "type": "array",
+                    "items": {
+                        "$ref": "#/definitions/cpeApplicabilityElement"
+                    }
+                },
                 "problemTypes": {
                     "$ref": "#/definitions/problemTypes"
                 },
@@ -1231,4 +1360,4 @@
             "additionalProperties": false
         }
     ]
-}
+}
@@ -27,12 +27,12 @@ LABEL maintainer="Team AppThreat" \
       org.opencontainers.image.authors="Team AppThreat <cloud@appthreat.com>" \
       org.opencontainers.image.source="https://github.com/AppThreat/vulnerability-db" \
       org.opencontainers.image.url="https://github.com/AppThreat/vulnerability-db" \
-      org.opencontainers.image.version="1.0.x" \
+      org.opencontainers.image.version="1.1.x" \
       org.opencontainers.image.vendor="appthreat" \
       org.opencontainers.image.licenses="MIT" \
       org.opencontainers.image.title="vulnerability-db" \
       org.opencontainers.image.description="MCP server for AppThreat's vulnerability database and package search library." \
-      org.opencontainers.docker.cmd="docker run -i --rm -e VDB_HOME=/db -v $HOME/db:/db:rw ghcr.io/appthreat/mcp-server-vdb:master"
+      org.opencontainers.docker.cmd="docker run -i --rm -e VDB_HOME=/db -v $HOME/db:/db:rw ghcr.io/appthreat/mcp-server-vdb"
 
 WORKDIR /app