Reference · 6 min read

The Noxen CVE feed

A daily-rebuilt, Ed25519-signed vulnerability snapshot served at feed.noxen.app. The Mac app verifies the signature against a bundled public key before importing any record. Live counts and source breakdown at /cve/.

Sources

Build pipeline

Cloudflare Worker at feed.noxen.app. Daily cron at 04:00 UTC:

  1. Pull every record from the upstream sources within the last 28-hour window (overlap with the prior day's window so we don't miss late-arriving updates).
  2. Dedupe by CVE ID across sources, keeping the most-detailed version (typically OSV for distro-specific records, NVD for upstream-only records).
  3. Build the CPE → CVE index used by the Mac app's matcher.
  4. Emit gzipped NDJSON (noxen-feed-YYYYMMDD.jsonl.gz) and a signed manifest.json.
  5. Upload both to R2 (Cloudflare's S3-equivalent) with public cache-control headers.

Manifest format

The manifest at feed.noxen.app/manifest.json is the authoritative pointer for clients: 

{
  "schemaVersion": 1,
  "latest": "20260427",
  "url": "https://feed.noxen.app/noxen-feed-20260427.jsonl.gz",
  "size": 96948953,
  "sha256": "7bd16671ce1972ae46fce4e889bf6755e07161be96d53562be1b742414f1dccd",
  "builtAt": "2026-04-27T04:17:23.699Z",
  "sourceStats": { "nvd": 690481, "osv": 2144945 },
  "recordCount": 2823430,
  "shards": {
    "debian":    { "url": "...", "size": ..., "sha256": "...", "recordCount": ... },
    "ubuntu":    { ... },
    "rocky linux": { ... },
    "almalinux": { ... }
  },
  "signature": "base64 Ed25519 over the canonicalised body"
}

shards is optional and additive — a future client that knows it only manages Debian hosts can fetch the smaller shards.debian.url instead of the full feed and skip ~50 MB. The current Noxen client downloads the full snapshot.

Signing

Ed25519 over the canonicalised JSON body of the manifest (signature field stripped before hashing, all keys sorted alphabetically at every level, no whitespace). The bundled public key is: 

6GP2QJveFk90XWEdWn86AXY5h7CjnrV1LnfhjdlCgO8=

The Mac app verifies via Apple's CryptoKit (Curve25519.Signing.PublicKey.isValidSignature) before importing any record. A signature mismatch shows the banner "CVE feed update failed — Manifest signature did not match the bundled public key" and the snapshot is not loaded.

Snapshot format

Gzipped NDJSON. One record per line, LF-delimited: 

{"cveId":"CVE-2024-6387","cvssV3Score":8.1,"severity":"high","summary":"...","cpe":"cpe:2.3:a:openbsd:openssh:9.2p1...","ecosystem":"Ubuntu:24.04","ecosystemPackage":"openssh-server","ecosystemFixedVersion":"1:9.6p1-3ubuntu13.3"}
{"cveId":"CVE-2024-3094","cvssV3Score":10.0,"severity":"critical","summary":"...","cpe":"cpe:2.3:a:tukaani:xz:5.6.0...","ecosystem":"Debian:12","ecosystemPackage":"xz-utils","ecosystemFixedVersion":"5.6.2-1"}

Why NDJSON over SQLite: streamable parsing, no schema migration hell on client upgrade, and the matcher imports it into a local SQLite snapshot (cves-latest.sqlite) for fast indexed lookups — built on the client side via GRDB.

Cadence

TierUpdate cadence
FreeSnapshot bundled with the app — refreshed per release.
Noxen 1.x (one-time license)Snapshot updates per Sparkle app release — typically every 2–4 weeks.
Maintenance (year 2+)Same as 1.x — snapshot per release.
Live Feed (subscription)Daily — fetched once per UTC-day, cached for 5 minutes at the edge.
MSP / TeamDaily — same as Live Feed.

Live dashboard

/cve/ shows the live total record count, build timestamp, source breakdown, snapshot size, and the most-recent critical / high CVEs in the feed. Per-distro dashboards: Ubuntu 24.04, Debian 12, Rocky 9 (incl. AlmaLinux).

Verifying outside the app

For programmatic consumers (security research, mirroring, experiments): the feed is downloadable from feed.noxen.app directly. Verify the signature with any Ed25519 library — the public key above, the canonicalised manifest minus the signature field, and the base64-decoded signature. Commercial mirroring requires permission; non-commercial / research use is fine.