# Source Catalog Audit - generated_at: `2026-03-21T09:17:05+00:00` - systems: `62` - sources: `179` - active_sources: `101` - retired_sources: `78` - systems_with_active_official: `61/62` - systems_with_machine_readable_source: `61/62` ## Retired Sources - `adminer` `NVD Adminer` -> replacements: `OSV Adminer` | reason: OSV Adminer provides a machine-readable Packagist-aligned source, removing the need for NVD public search. - `adobe-commerce` `Adobe Security Bulletins` -> replacements: `Adobe Magento Security Index, NVD Adobe Commerce, GHSA Adobe Commerce` | reason: Original bulletin index probe was unstable under the old transport path; vendor index replacement uses explicit request policy and parser hints. - `adobe-commerce` `GHSA Adobe Commerce` -> replacements: `Adobe Magento Security Index, NVD Adobe Commerce` | reason: Unauthenticated GHSA API requests are rate-limited in daily monitoring; Adobe index and NVD remain active replacements. - `adobe-commerce` `NVD Adobe Commerce` -> replacements: `Adobe Magento Security Index` | reason: Adobe Magento Security Index is now the active official machine-readable source, so NVD public search is no longer needed for daily collection. - `adobe-commerce` `Sansec Research` -> replacements: `GHSA Adobe Commerce, Adobe Magento Security Index` | reason: Research index is too slow for daily active monitoring; GHSA Adobe Commerce provides a stable machine-readable replacement. - `angular` `GitHub Global Advisories` -> replacements: `OSV Angular` | reason: Unauthenticated GHSA API requests are rate-limited in daily monitoring; OSV Angular remains the active replacement source. - `apache-httpd` `NVD Apache HTTP Server` -> replacements: `Apache HTTPD Security, CISA KEV Apache HTTPD` | reason: Official Apache HTTPD advisories page plus CISA KEV are sufficient active sources for daily monitoring. - `apache-tomcat` `NVD Tomcat` -> replacements: `Apache Tomcat Security, CISA KEV Tomcat` | reason: Official Tomcat advisories page plus CISA KEV are sufficient active sources for daily monitoring. - `aspnet-core` `NVD ASP.NET Core` -> replacements: `OSV ASP.NET Core` | reason: OSV ASP.NET Core provides machine-readable NuGet-aligned coverage with lower latency than NVD public search. - `astro` `GitHub Global Advisories` -> replacements: `OSV Astro` | reason: Unauthenticated GHSA API requests are rate-limited in daily monitoring; OSV Astro remains the active replacement source. - `caddy` `GitHub Caddy Advisories` -> replacements: `OSV Caddy` | reason: OSV Caddy is the active official machine-readable replacement; keeping GitHub HTML advisories active adds duplicate cold-start cost. - `discourse` `Discourse Meta Security` -> replacements: `Discourse Release Notes RSS, GitHub Discourse Advisories` | reason: Meta security category HTML changed and no longer provides stable scrape semantics for health checks. - `discourse` `GitHub Discourse Advisories` -> replacements: `Discourse Release Notes RSS, Discourse Security RSS` | reason: Unauthenticated GHSA API requests are rate-limited in daily monitoring; Discourse release feed remains the active official source. - `django` `Django Security RSS` -> replacements: `Django Security Weblog, Django Security Releases Archive` | reason: Official security tag feed became unstable; use official weblog index and release archive instead. - `drupal` `NVD Drupal` -> replacements: `Drupal Security Advisories RSS, OSV Drupal` | reason: OSV Drupal + Drupal official RSS now cover machine-readable collection with lower cold-start latency than NVD public search. - `esbuild` `GitHub Global Advisories` -> replacements: `OSV esbuild` | reason: Unauthenticated GHSA API requests are rate-limited in daily monitoring; OSV esbuild remains the active replacement source. - `esbuild` `NVD esbuild` -> replacements: `OSV esbuild` | reason: OSV esbuild replaces NVD public search for lower-latency machine-readable collection. - `express` `GitHub Global Advisories` -> replacements: `OSV Express` | reason: Unauthenticated GHSA API requests are rate-limited in daily monitoring; OSV Express remains the active replacement source. - `express` `NVD Express.js` -> replacements: `OSV Express` | reason: OSV Express replaces NVD public search for lower-latency machine-readable collection. - `fastify` `GitHub Global Advisories` -> replacements: `OSV Fastify` | reason: Unauthenticated GHSA API requests are rate-limited in daily monitoring; OSV Fastify remains the active replacement source. - `flask` `GitHub Global Advisories` -> replacements: `OSV Flask` | reason: Unauthenticated GitHub advisory API is quota-limited; OSV Flask remains the active machine-readable source. - `ghost` `NVD Ghost` -> replacements: `Ghost GitHub Advisories, OSV Ghost` | reason: OSV Ghost replaces NVD for machine-readable collection and keeps npm package alignment. - `gitea` `GitHub Gitea Advisories` -> replacements: `OSV Gitea` | reason: OSV Gitea is the active official machine-readable replacement; keeping GitHub HTML advisories active adds duplicate cold-start cost. - `gitlab-ce` `GitLab Security Releases` -> replacements: `GitLab Security Releases Atom` | reason: GitLab Security Releases Atom is the official machine-readable replacement; keeping both active adds duplicate cold-start cost without added coverage. - `gitlab-ce` `NVD GitLab` -> replacements: `GitLab Security Releases, GitLab Security Releases Atom` | reason: GitLab Security Releases Atom provides an official machine-readable feed, so NVD public search is no longer required. - `hapi` `GitHub Global Advisories` -> replacements: `OSV Hapi` | reason: Unauthenticated GHSA API requests are rate-limited in daily monitoring; OSV Hapi remains the active replacement source. - `haproxy` `HAProxy Security Advisories` -> replacements: `HAProxy Blog Feed` | reason: Legacy haproxy.org security page no longer yields stable scrape results for monitoring. - `haproxy` `NVD HAProxy` -> replacements: `HAProxy Blog Feed` | reason: HAProxy Blog Feed is an active official RSS source, so NVD public search is no longer required. - `jenkins` `Jenkins Security Advisories` -> replacements: `Jenkins Security Advisories RSS` | reason: Jenkins Security Advisories RSS is the official machine-readable replacement; keeping both active adds duplicate cold-start cost without added coverage. - `jenkins` `NVD Jenkins` -> replacements: `Jenkins Security Advisories, Jenkins Security Advisories RSS` | reason: Jenkins Security Advisories RSS provides an official machine-readable feed, replacing NVD public search. - `joomla` `NVD Joomla` -> replacements: `Joomla Security Centre, OSV Joomla` | reason: OSV Joomla CMS replaces NVD for machine-readable collection without public NVD throttling. - `kibana` `Elastic Security Announcements` -> replacements: `Elastic Security Announcements RSS` | reason: Elastic Security Announcements RSS is the official machine-readable replacement; keeping both active adds duplicate cold-start cost without added coverage. - `kibana` `NVD Kibana` -> replacements: `Elastic Security Announcements, Elastic Security Announcements RSS` | reason: Elastic Security Announcements RSS provides an official machine-readable feed, replacing NVD public search. - `koa` `GitHub Global Advisories` -> replacements: `OSV Koa` | reason: Unauthenticated GHSA API requests are rate-limited in daily monitoring; OSV Koa remains the active replacement source. - `laravel` `GitHub Global Advisories` -> replacements: `OSV Laravel` | reason: Unauthenticated GitHub advisory API is quota-limited; OSV Laravel remains the active machine-readable source. - `magento-open-source` `NVD Magento` -> replacements: `Magento GitHub Advisories, OSV Magento Open Source` | reason: OSV Magento Open Source plus Magento GitHub advisories replace NVD public search for machine-readable collection. - `mattermost` `Mattermost Security Updates` -> replacements: `NVD Mattermost` | reason: Mattermost security updates page returned repeated 403 responses from the collector path; NVD replacement remains active. - `mattermost` `NVD Mattermost` -> replacements: `Mattermost Security Updates JSON, OSV Mattermost` | reason: Mattermost official JSON feed plus OSV Mattermost replace NVD for lower-latency machine-readable collection. - `mediawiki` `MediaWiki Security Releases` -> replacements: `MediaWiki Announce RSS, NVD MediaWiki` | reason: MediaWiki security page is no longer reachable reliably from the collector path; NVD replacement remains active. - `mediawiki` `NVD MediaWiki` -> replacements: `MediaWiki Announce RSS, OSV MediaWiki` | reason: MediaWiki announce RSS plus OSV MediaWiki now replace NVD for lower-latency machine-readable collection. - `medusa` `GitHub Medusa Advisories` -> replacements: `OSV Medusa` | reason: OSV Medusa is the active official machine-readable replacement; keeping GitHub HTML advisories active adds duplicate cold-start cost. - `moodle` `Moodle Security News` -> replacements: `NVD Moodle` | reason: Security page is reachable with a browser-style UA, but the current markup only exposes generic "Discuss this topic" anchors to the collector; NVD Moodle remains the active replacement source until a richer parser is added. - `moodle` `NVD Moodle` -> replacements: `OSV Moodle` | reason: OSV Moodle replaces NVD for machine-readable collection while official Moodle sources remain for cross-checking. - `nestjs` `GitHub Global Advisories` -> replacements: `OSV NestJS` | reason: Unauthenticated GHSA API requests are rate-limited in daily monitoring; OSV NestJS remains the active replacement source. - `nestjs` `NVD NestJS` -> replacements: `OSV NestJS` | reason: OSV NestJS replaces NVD public search for lower-latency machine-readable collection. - `nextjs` `GitHub Global Advisories` -> replacements: `GitHub Next.js Advisories, OSV Next.js` | reason: Unauthenticated GHSA API requests are rate-limited in daily monitoring; GitHub Next.js Advisories and OSV Next.js remain active replacements. - `nextjs` `GitHub Next.js Advisories` -> replacements: `OSV Next.js` | reason: OSV Next.js is the active official machine-readable replacement; keeping GitHub HTML advisories active adds duplicate cold-start cost. - `nginx` `NVD NGINX` -> replacements: `NGINX Security Advisories, CISA KEV NGINX` | reason: Official NGINX advisories page and CISA KEV together provide the needed daily signal without NVD public-search latency. - `nuxt` `GitHub Global Advisories` -> replacements: `Nuxt Security, OSV Nuxt` | reason: Unauthenticated GHSA API requests are rate-limited in daily monitoring; Nuxt Security and OSV Nuxt remain active replacements. - `nuxt` `Nuxt Security` -> replacements: `OSV Nuxt` | reason: OSV Nuxt is the active official machine-readable replacement; keeping GitHub HTML advisories active adds duplicate cold-start cost. - `opencart` `NVD OpenCart` -> replacements: `OpenCart Releases, OSV OpenCart` | reason: OSV OpenCart replaces NVD for machine-readable collection while official release source remains active. - `openmage` `NVD OpenMage` -> replacements: `OpenMage GitHub Advisories, OSV OpenMage` | reason: OSV OpenMage replaces NVD for machine-readable composer-aligned collection. - `phpmyadmin` `NVD phpMyAdmin` -> replacements: `phpMyAdmin Security Page, OSV phpMyAdmin` | reason: OSV phpMyAdmin replaces NVD for machine-readable collection while the official security page remains active. - `prestashop` `NVD PrestaShop` -> replacements: `PrestaShop Security Page, GitHub PrestaShop Advisories, OSV PrestaShop` | reason: OSV PrestaShop replaces NVD for machine-readable collection while official and ecosystem advisories remain active. - `rails` `GitHub Global Advisories` -> replacements: `OSV Rails` | reason: Unauthenticated GitHub advisory API is quota-limited; OSV Rails remains the active machine-readable source. - `rails` `NVD Ruby on Rails` -> replacements: `OSV Rails` | reason: OSV Rails replaces NVD public search for lower-latency machine-readable collection. - `react` `GitHub Global Advisories` -> replacements: `GitHub React Advisories, OSV React` | reason: Unauthenticated GHSA API requests are rate-limited in daily monitoring; GitHub React Advisories and OSV React remain active replacements. - `react` `GitHub React Advisories` -> replacements: `OSV React` | reason: OSV React is the active official machine-readable replacement; keeping GitHub HTML advisories active adds duplicate cold-start cost. - `redmine` `NVD Redmine` -> replacements: `Redmine Security Advisories` | reason: Official Redmine advisories page remains active and NVD public search is retired to reduce cold-start latency. - `saleor` `NVD Saleor` -> replacements: `GitHub Saleor Advisories, OSV Saleor` | reason: OSV Saleor replaces NVD for machine-readable collection and aligns with the published PyPI package. - `shopware` `NVD Shopware` -> replacements: `Shopware Security Advisories, OSV Shopware` | reason: OSV Shopware replaces NVD for machine-readable collection with lower cold-start overhead. - `spring-boot` `GitHub Global Advisories` -> replacements: `Spring Security Advisories, OSV Spring Boot` | reason: Unauthenticated GitHub advisory API is quota-limited; Spring official page and OSV remain the active replacements. - `spring-framework` `GitHub Global Advisories` -> replacements: `Spring Security Advisories, OSV Spring Framework` | reason: Unauthenticated GHSA API requests are rate-limited in daily monitoring; Spring official page and OSV remain the active replacements. - `spring-security` `GitHub Global Advisories` -> replacements: `Spring Security Advisories, OSV Spring Security` | reason: Unauthenticated GitHub advisory API is quota-limited; Spring official page and OSV remain the active replacements. - `sveltekit` `GitHub Global Advisories` -> replacements: `OSV SvelteKit` | reason: Unauthenticated GHSA API requests are rate-limited in daily monitoring; OSV SvelteKit remains the active replacement source. - `symfony` `GitHub Global Advisories` -> replacements: `OSV Symfony` | reason: Unauthenticated GitHub advisory API is quota-limited; OSV Symfony remains the active machine-readable source. - `traefik` `GitHub Traefik Advisories` -> replacements: `OSV Traefik` | reason: OSV Traefik is the active official machine-readable replacement; keeping GitHub HTML advisories active adds duplicate cold-start cost. - `undici` `GitHub Global Advisories` -> replacements: `OSV Undici` | reason: Unauthenticated GHSA API requests are rate-limited in daily monitoring; OSV Undici remains the active replacement source. - `undici` `NVD Undici` -> replacements: `OSV Undici` | reason: OSV Undici replaces NVD public search for lower-latency machine-readable collection. - `vite` `GitHub Global Advisories` -> replacements: `Vite Security, OSV Vite` | reason: Unauthenticated GHSA API requests are rate-limited in daily monitoring; Vite Security and OSV Vite remain active replacements. - `vite` `Vite Security` -> replacements: `OSV Vite` | reason: OSV Vite is the active official machine-readable replacement; keeping GitHub HTML advisories active adds duplicate cold-start cost. - `vue` `GitHub Global Advisories` -> replacements: `Vue Security, OSV Vue` | reason: Unauthenticated GHSA API requests are rate-limited in daily monitoring; Vue Security and OSV Vue remain active replacements. - `vue` `Vue Security` -> replacements: `OSV Vue` | reason: OSV Vue is the active official machine-readable replacement; keeping GitHub HTML advisories active adds duplicate cold-start cost. - `webpack` `GitHub Global Advisories` -> replacements: `OSV webpack` | reason: Unauthenticated GHSA API requests are rate-limited in daily monitoring; OSV webpack remains the active replacement source. - `webpack` `NVD webpack` -> replacements: `OSV webpack` | reason: OSV webpack replaces NVD public search for lower-latency machine-readable collection. - `werkzeug` `GitHub Global Advisories` -> replacements: `OSV Werkzeug` | reason: Unauthenticated GitHub advisory API is quota-limited; OSV Werkzeug remains the active machine-readable source. - `woocommerce` `NVD WooCommerce` -> replacements: `Woo Developer Advisories, GitHub WooCommerce Advisories, OSV WooCommerce` | reason: OSV WooCommerce replaces NVD for machine-readable collection while official and ecosystem advisory pages remain active. - `wordpress` `NVD WordPress` -> replacements: `WordPress Security News RSS, Wordfence Vulnerability Database, WPScan Vulnerability Database` | reason: WordPress official RSS plus ecosystem plugin intelligence cover active collection with lower cold-start latency and lower public-search dependence than NVD.