Vulnlog Proof of Concepts

Experimental repository for testing new Vulnlog ideas, approaches, and technologies.

Background: YAML and JSON Schema PoC

Why This PoC Exists

The current Kotlin custom scripting DSL has limitations that need addressing:

Flaky DSL detection in IDEs
Missing Kotlin K2 support ( see State of Kotlin Scripting 2024)

Design Goals

Easy to learn, write, and read for software and security engineers
Future-proof and maintainable

What This PoC Does

Provides a YAML-based Vulnlog definition language with a simple CLI that:

Deserializes YAML files into Java/Kotlin objects
Prints parsed content to console

Note: This PoC does not validate beyond parsing or generate output files. It's designed for experimentation with the vulnerability definition language.

Project Structure

yaml - JSON Schema and CLI parser (README includes build instructions and learnings)
yaml-data - Example Vulnlog YAML files

Quick Start

Installation

Choose one of the following:

Option 1: Download binaries
Get the latest release from Releases (Linux, macOS, Windows with Java)

Option 2: Ubuntu Snap

sudo snap install vl-yaml

Option 3: Homebrew (macOS)

brew install vulnlog/vulnlog/vl-yaml

Option 3: Build from source

./gradlew installDist

Binaries will be in yaml/build/install/yaml/bin.

Usage

vl-yaml --version

vl-yaml yaml-data/single-file-example/example.vl.yml

Output:

Hello YAML/JSON-Schema Vulnlog!
This is a PoC to experiment with YAML and JSON-Schema as an alternative to the existing Kotlin custom scripting DSL.
See https://github.com/vulnlog/vulnlog-poc for more information.

version: 1.0.0
vendor: Example Inc
product: Example Product

Releases
id: v100
version: 1.0.0
release date: 2021-10-31
id: v101
version: 1.0.1
release date: 2021-12-12


Reporters
id: trivy
vendor: Aqua Security Trivy


Reporter Pipelines
id: trivy-pipeline
name: Trivy Pipeline
reporter: trivy


Vulnerabilities
desc: Remote code execution (RCE) vulnerability in Log4j's JNDI features.
reports:
  vulnerability id: CVE-2021-44228
  reporter ID: trivy
  at: 2021-12-10
  on id: v100
analysis:
  verdict affected:
    severity: Critical
  reasoning: Example product uses Log4j in a vulnerable version and therefore is affected.
resolutions:
  update
    maven dependency: org.apache.logging.log4j:log4j-core:2.12.4
    to version: 2.13.0
    resolved at: 2021-12-12

Name		Name	Last commit message	Last commit date
Latest commit History 51 Commits
.github		.github
.idea		.idea
buildSrc		buildSrc
gradle		gradle
yaml-data		yaml-data
yaml		yaml
.gitignore		.gitignore
CHANGELOG.md		CHANGELOG.md
README.md		README.md
gradle.properties		gradle.properties
gradlew		gradlew
gradlew.bat		gradlew.bat
settings.gradle.kts		settings.gradle.kts
snapcraft.yaml		snapcraft.yaml

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Repository files navigation

Vulnlog Proof of Concepts

Background: YAML and JSON Schema PoC

Why This PoC Exists

Design Goals

What This PoC Does

Project Structure

Quick Start

Installation

Usage

About

Uh oh!

Releases 6

Packages

Contributors 2

Uh oh!

Languages

vulnlog/vulnlog-poc

Folders and files

Latest commit

History

Repository files navigation

Vulnlog Proof of Concepts

Background: YAML and JSON Schema PoC

Why This PoC Exists

Design Goals

What This PoC Does

Project Structure

Quick Start

Installation

Usage

About

Resources

Uh oh!

Stars

Watchers

Forks

Releases 6

Packages 0

Contributors 2

Uh oh!

Languages

Packages