Chainguard Libraries is a Chainguard product that provides secure, curated versions of open source libraries for various programming language ecosystems. Unlike traditional package repositories, Chainguard Libraries are rebuilt from upstream open source project code repositories only, helping prevent supply chain attacks and reduce malware risks.
You can learn more about Chainguard Libraries at https://www.chainguard.dev/libraries.
A key feature of Chainguard Libraries is CVE remediation. This provides backporting of security fixes from newer versions to older versions of libraries that may no longer receive updates from upstream maintainers. Many applications rely on older versions of libraries, but upstream maintainers may not apply and release patches for those versions.
Remediated library versions use a special naming convention to distinguish them from upstream versions. The exact version convention depends on the language ecosystem. Our naming conventions are documented below:
- Python:
<upstream-version>+cgr.N- Example:
werkzeug==3.0.2+cgr.1(where3.0.2is the base version and+cgr.1indicates the Chainguard remediation) - This is aligned with PEP-440 Version Identification and Dependency Specification.
- Example:
This naming convention ensures that:
- The remediated version is recognized as compatible with the base version
- Scanners can differentiate between upstream and remediated versions
- Package managers treat these as valid version specifiers
Chainguard continuously publishes data about security fixes applied to Libraries through a dedicated VEX (Vulnerability Exploitability eXchange) feed.
The VEX feed is the source of truth for understanding which vulnerabilities have been remediated in Chainguard Libraries. Chainguard's VEX feed uses the OpenVEX format, an open standard for sharing vulnerability information.
VEX Feed Location: https://libraries.cgr.dev/openvex/v1/index.json
The VEX feed provides:
- Patched versions for each CVE addressed in remediated libraries
- Machine-readable data that scanners can consume to accurately report vulnerabilities
Each individual advisory is represented as its own file in the OpenVEX format. The index.json file serves as an index to all available advisories.
The VEX feed is updated continuously (multiple times per day) as new CVE remediations are released. Scanners should fetch the latest VEX data regularly to ensure accurate scan results.
While both Chainguard Images and Chainguard Libraries are part of Chainguard's secure software supply chain offerings, they serve different purposes:
| Aspect | Chainguard Images | Chainguard Libraries |
|---|---|---|
| Type | Container images | Language ecosystem packages |
| Packaging | APK packages in OCI images | PyPI packages, npm packages, etc. |
| Distribution | Container registries | Language package repositories |
| Security Data | OSV feed and secdb | VEX feed |
| Use Case | Running containers | Application dependencies |
| Detection | /etc/os-release, /usr/lib/apk/db/installed |
installed packages, lock files, etc |
Next up: Scanning Implementation