← All Docs

CVE Database

How CodeVigil's local CVE database works with 130,000+ vulnerabilities.

Overview

CodeVigil includes a local CVE (Common Vulnerabilities and Exposures) database containing over 130,000 known vulnerabilities. This database enables CodeVigil to check your project's dependencies against known security issues.

The CVE database is one of CodeVigil's most distinctive features. Unlike cloud-based vulnerability scanners that require an internet connection and transmit your dependency information to third-party servers, CodeVigil's database is stored locally for fast lookups.

How It Works

Initial Download

When you first install CodeVigil, the extension downloads the full CVE database in the background. This initial download is approximately 45 MB compressed and takes 1-2 minutes on a typical connection. The database is stored in VS Code's global storage directory and shared across all workspaces.

Incremental Sync

After the initial download, CodeVigil uses incremental syncing to keep the database up to date. Only new and modified CVE entries are downloaded, typically just a few hundred KB per sync. By default, the database syncs once every 24 hours when an internet connection is available.

You can configure the sync interval with the codeVigil.cveDatabase.syncInterval setting:

{
  "codeVigil.cveDatabase.syncInterval": 12
}

Manual Sync

To manually trigger a database sync, use the command palette:

  1. Press Ctrl+Shift+P / Cmd+Shift+P
  2. Type CodeVigil: Sync CVE Database
  3. The sync progress will be shown in the status bar

Dependency Scanning

When you open a project, CodeVigil identifies dependency manifests:

  • package.json and package-lock.json (Node.js)
  • requirements.txt and Pipfile.lock (Python)
  • pom.xml and build.gradle (Java)
  • go.mod (Go)
  • Gemfile and Gemfile.lock (Ruby)
  • composer.lock (PHP)
  • *.csproj and packages.config (C#)
  • build.gradle.kts (Kotlin)

CodeVigil cross-references each dependency and version against the local CVE database. Vulnerable dependencies are flagged with diagnostics directly in the manifest file, showing:

  • The CVE identifier (e.g., CVE-2024-1234)
  • The CVSS severity score
  • A brief description of the vulnerability
  • The fixed version (if available)

Local-Only Usage

The CVE database is stored locally and all lookups happen on your machine. Once the initial download is complete, dependency scanning works without any internet connection.

Pre-loading the Database

For environments where the initial download is not possible, you can pre-load the database:

  1. On a machine with internet access, run CodeVigil: Export CVE Database from the command palette
  2. Copy the exported .cvdb file to the target machine
  3. On the target machine, run CodeVigil: Import CVE Database and select the file

Database Contents

The CVE database includes:

  • CVE entries: Over 130,000 records from the National Vulnerability Database (NVD)
  • CPE mappings: Common Platform Enumeration data linking CVEs to specific software packages and versions
  • CVSS scores: Common Vulnerability Scoring System ratings for severity assessment
  • Fix versions: Known safe versions for affected packages
  • References: Links to advisories, patches, and detailed write-ups

Data Sources

CodeVigil's CVE database aggregates data from multiple authoritative sources:

  • NIST National Vulnerability Database (NVD)
  • GitHub Advisory Database
  • OSV (Open Source Vulnerabilities)
  • Language-specific advisory databases (npm, PyPI, RubyGems, etc.)

Storage and Performance

  • Disk usage: Approximately 120 MB uncompressed
  • Location: VS Code's globalStoragePath for the CodeVigil extension
  • Query speed: Sub-millisecond lookups using an optimized local index
  • Memory usage: The database is loaded on-demand, not kept in memory

Troubleshooting

Database sync fails

If the sync fails, check:

  • Your internet connection is active
  • No firewall or proxy is blocking https://cve.bitsplus.ai
  • Try a manual sync from the command palette

Database appears outdated

The status bar shows the last sync date. If the database is more than 7 days old, CodeVigil will show a warning. You can force a fresh sync by:

  1. Opening the command palette
  2. Running CodeVigil: Reset CVE Database
  3. This will delete the local database and trigger a fresh download

Large database size

If disk space is a concern, you can disable the CVE database entirely:

{
  "codeVigil.cveDatabase.enabled": false
}

This disables dependency scanning but all other CodeVigil features continue to work normally.