Adivsory distribution

The pie chart below illustrates the advisory distribution for the package types we support by providing their total number and percentages.

Number of CVEs

The pie chart below illustrates how many advisories in the database are originating from NVD.

Number of merged CVEs

The barchart below depicts the number of advisories (CVEs only) that have been merged during the last couple of months starting from May 2019 where the initial data was imported to gemnasium-db. Note, that we are only counting newly added advisories (not updated ones).

Throughput

Throughput indicates the efficiency of adding new advisories to gemnasium-db; more automation increases the throughput. The plot below shows how the throughput developed over the last couple of month. For every month throughput is computed with: \(\frac{|\text{Advisories}|}{\text{day}}\). The spike for May 2019 is due to the initial import of advisory data.

Coverage

Coverage indicates how many advisories from NVD have been identified as relevant in the context of dependency scanning. The barchart below shows how many CVEs (in %) were translated into advisories because of their relation to a supported package. The X-axis depicts the year of the NVD data feed wheras the Y-asis depicts percentage of extracted CVEs.

TTM (Time to Merge)

Time to merge (TTM) measures the expired time between the publication of a CVE on NVD and the point in time where the advisory is merged into gemnasium-db. The figures below illustrates the weekly and monthly TTM trends. The orange line represents the mean values whereas the blue line represents the median values. The grey area illustrates the boundaries, i.e., the observed minimum and maximum TTM values for a certain period. In all figures below, the red, dashed line marks the 7 day threshold.

The figures below show how many advisories (depicted on Y axis) have been merged within a given number of days (depicted on X axis).