rename cvemap to vulnx

[dogancanbakir]

Fixes #426

---

Note

Major rebrand and namespace migration from cvemap to vulnx.

• Renames binary and entrypoint to cmd/vulnx/; removes cmd/cvemap/
• Updates module path to github.com/projectdiscovery/vulnx and all imports/types (cvemap → vulnx)
• Adjusts service/client packages, MCP tools/handlers, and env vars (CVEMAP_API_URL → VULNX_API_URL)
• Refreshes CI: build/test paths, race test command, integration tests, and Docker build/push (now Dockerfile.vulnx → projectdiscovery/vulnx)
• Updates GoReleaser, Makefile, .gitignore, and Dockerfile to build/publish vulnx
• Revises README/USAGE/DEVELOPMENT and issue templates to reflect vulnx branding and commands

^{Written by Cursor Bugbot for commit 377bf2f. This will update automatically on new commits. Configure here.}

Summary by CodeRabbit

• New Features

  • Project rebranded from CVEMap to Vulnx
  • CLI tool renamed to vulnx command (previously cvemap)
  • Updated installation and usage documentation

• Chores

  • Updated project module path and all internal references
  • Synchronized Docker configuration and build artifacts with new branding

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

Walkthrough

The pull request systematically renames the project from CVEMap (cvemap) to vulnx across the entire codebase. This includes updating package declarations, import paths, module references, command entry points, CLI implementations, type definitions, and documentation to consistently reference the new project name.

Changes

Cohort / File(s)	Summary
Configuration & Documentation .cursorrules, .github/ISSUE_TEMPLATE/*, README.md, DEVELOPMENT.md, USAGE.md	Updated project name, repository references, and discussion URLs from cvemap to vulnx; migration notice removed
Build Configuration Dockerfile, Makefile, .gitignore, go.mod	Updated binary references, docker entrypoint, build targets, and module path from cvemap to vulnx
CLI Entry Points cmd/cvemap/main.go, cmd/vulnx/main.go	Removed old cvemap entry point; updated vulnx entry point import paths
CLI Commands cmd/vulnx/clis/* (10+ files: analyze, auth, common, filters, healthcheck, id, search, version, etc.)	Consistent renaming of client variables, imports, type references, and error handling from cvemap to vulnx across all command implementations
Integration Tests cmd/integration-test/main.go, cmd/integration-test/run.sh, cmd/integration-test/server.go	Replaced cvemap test utilities with vulnx equivalents; updated environment variables and import paths; removed legacy cvemap test binary build
Core Utilities pkg/runner/*, pkg/service/vulnx.go, pkg/testutils/util.go	Updated imports, client references, and function signatures; renamed RunCvemapBinaryAndGetResults to RunVulnxBinaryAndGetResults
Tool Packages pkg/tools/*/ (analyze, filters, id, renderer, search, templates, tools.go, agentvulnx)	Updated public type signatures and method parameters from cvemap client/types to vulnx equivalents across all tool handlers and utilities
Package Root types.go	Updated package declaration from cvemap to vulnx

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

---

🐰 A Whisker'd Hop Through Change

From maps of CVEs to vulnx we sprint,
A name rebrand with systematic lint,
Through fifty files with patient care,
Import paths updated everywhere.
The project blooms with fresh new name,
Same keen purpose, different fame! 🎉

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Linked Issues check	⚠️ Warning	The PR addresses the core concern in issue #426 by completing the cvemap-to-vulnx rename throughout the codebase. However, it does not implement the fallback mechanism requested to handle the missing projectdiscovery/vulnx GitHub repository.	Implement a fallback update mechanism in the version check logic to gracefully handle 404 errors from the projectdiscovery/vulnx repository and fall back to projectdiscovery/cvemap for release information.
Docstring Coverage	⚠️ Warning	Docstring coverage is 65.91% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'rename cvemap to vulnx' is concise, specific, and accurately describes the main objective of the PR - a repository-wide rename from CVEMap to vulnx.
Out of Scope Changes check	✅ Passed	The PR scope is well-contained within the rename objective. All changes consistently rename cvemap to vulnx across documentation, code, configuration, and CI/CD files without introducing unrelated functional changes.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (7)

pkg/service/vulnx.go (1)

20-28: Incomplete rename: Cvemap struct and CVEMAP_API_URL environment variable not updated to align with file and package rename.

The file has been renamed to vulnx.go and the import path updated, but several identifiers still use the old naming throughout the codebase:

1. CVEMAP_API_URL environment variable (line 21) — inconsistent with new naming scheme
2. Cvemap struct (line 25) — file named vulnx.go but exports Cvemap type
3. NewCvemap constructor (line 41) — creates API inconsistency

This creates confusion where users import from vulnx/pkg/service but use service.Cvemap and service.NewCvemap. The struct is actively used across the codebase (runner.go, testutils), so updates need to be coordinated.

🔧 Suggested fix for consistency

 var (
-	BaseUrl         = env.GetEnvOrDefault("CVEMAP_API_URL", "https://cve.projectdiscovery.io/api/v1")
+	BaseUrl         = env.GetEnvOrDefault("VULNX_API_URL", "https://cve.projectdiscovery.io/api/v1")
 	ErrUnAuthorized = errorutil.New(`unauthorized: 401 (get your free api key from https://cloud.projectdiscovery.io)`)
 )

-type Cvemap struct {
+type Vulnx struct {
 	opts   *Options
 	client *retryablehttp.Client
 }

Update constructor and all method receivers, then update usages in pkg/runner/runner.go (lines 225, 242, 248, 284, 291, 293) and pkg/testutils/util.go.

DEVELOPMENT.md (1)

16-17: Stale reference to removed build-vulnx target.

The documentation references make build-vulnx, but according to the Makefile changes, the build-vulnx target has been removed. Only the build target remains, which now builds the vulnx binary directly.

Proposed fix

-# Build vulnx binary
-make build-vulnx
+# Run tests
+make test

Alternatively, remove this redundant section since make build already builds vulnx.

Makefile (1)

70-70: .PHONY references non-existent build-vulnx target.

The build-vulnx target is listed in .PHONY but doesn't exist in the Makefile. Either remove it from .PHONY or add the target.

Proposed fix

-.PHONY: all build build-vulnx integration tidy fmt vet test lint pre-push pre-commit git-hooks fix-deps
+.PHONY: all build integration tidy fmt vet test lint pre-push pre-commit git-hooks fix-deps

cmd/integration-test/server.go (1)

26-30: Rename the server banner to “vulnx”.
The log message still references “Cvemap”, which is inconsistent with the repo rename.

✏️ Proposed update

-		fmt.Println("Cvemap test server listening on 8080...")
+		fmt.Println("vulnx test server listening on 8080...")

pkg/tools/analyze/groupby.go (1)

116-127: Avoid bypassing facet-size caps in MCPHandler.
MCPHandler converts field=size to field:size before Analyze runs. Analyze only parses =, so per-field size caps are skipped for MCP calls, defeating the 200-limit guard.

🛡️ Proposed fix (let Analyze cap & normalize)

-		// fix request fields format
-		for i, f := range fields {
-			if strings.Contains(f, "=") {
-				fields[i] = strings.ReplaceAll(f, "=", ":")
-			}
-		}
+		// Keep raw field expressions; Analyze will cap sizes and normalize.

cmd/vulnx/clis/common.go (2)

517-525: Inconsistent error handling: string comparison instead of errors.Is.

Lines 519-522 use err.Error() == "not found" for error checking, while cmd/vulnx/clis/id.go (lines 132, 206) correctly uses errors.Is(err, vulnx.ErrNotFound). This inconsistency could cause issues if the error message format changes.

Suggested fix

 		vuln, err := handler.Get(vulnID)
 		if err != nil {
-			if err.Error() == "not found" {
+			if errors.Is(err, vulnx.ErrNotFound) {
 				gologger.Warning().Msgf("Vulnerability not found: %s", vulnID)
 				continue
 			}

---

588-596: Same inconsistent error handling pattern.

This is another occurrence of err.Error() == "not found" that should use errors.Is(err, vulnx.ErrNotFound) for consistency.

Suggested fix

 		vuln, err := handler.Get(vulnID)
 		if err != nil {
-			if err.Error() == "not found" {
+			if errors.Is(err, vulnx.ErrNotFound) {
 				gologger.Warning().Msgf("Vulnerability not found: %s", vulnID)
 				continue
 			}

🤖 Fix all issues with AI agents

In @.gitignore:
- Around line 23-27: The .gitignore contains a duplicate entry for
/cmd/vulnx/vulnx; remove the redundant line so the path appears only once
(locate the repeated '/cmd/vulnx/vulnx' entries and delete the extra
occurrence).

In `@pkg/testutils/util.go`:
- Around line 12-13: The doc comment above RunVulnxBinaryAndGetResults is stale
and references RunCvemapßBinaryAndGetResults; update the comment to correctly
reference the current function name RunVulnxBinaryAndGetResults (and fix any
stray characters like ß) so the comment describes the function signature and
behavior accurately.

In `@README.md`:
- Around line 5-7: The badge images in README.md lack alt text which hurts
accessibility; update each <img> tag (e.g., the badges with src
"https://goreportcard.com/badge/github.com/projectdiscovery/vulnx",
"https://img.shields.io/badge/go-reference-blue", and
"https://img.shields.io/github/release/projectdiscovery/vulnx") to include
meaningful alt attributes (e.g., alt="Go Report Card: projectdiscovery/vulnx",
alt="Go reference documentation", alt="vulnx GitHub release") so screen readers
can convey the badge purpose.

🧹 Nitpick comments (9)

pkg/tools/tools.go (1)

34-36: Optional cleanup: remove commented-out stub to avoid drift.
If AllMCPPrompts isn’t used, consider deleting the commented block.

🧹 Proposed cleanup

-// // AllMCPPrompts returns all prompt templates for ProjectDiscovery vulnerability.sh (vulnx) MCP integration.
-// func AllMCPPrompts(client *vulnx.Client) []templates.PromptTemplate {
-// 	return templates.AllPromptTemplates(client)
-// }

cmd/vulnx/clis/analyzehelp.go (1)

36-58: Table output should explicitly use os.Stdout.

Per coding guidelines, table rendering should use table.NewWriter() with output set to os.Stdout. Currently, tbl.Render() on Line 58 writes to the default writer which may not be os.Stdout.

♻️ Suggested fix

+import "os"
+
 			// Render table with only facet-capable fields
 			tbl := table.NewWriter()
+			tbl.SetOutputMirror(os.Stdout)
 			tbl.SetStyle(table.StyleRounded)

And change Line 58:

-			tbl.Render()
+			fmt.Println(tbl.Render())

Or use SetOutputMirror and call Render() without capturing return value.

Makefile (1)

15-16: Version injection is properly configured via GoReleaser for releases.

The Makefile's build target uses only -s -w ldflags for local builds. However, the .goreleaser.yml is correctly configured to inject version information via -X github.com/projectdiscovery/vulnx/cmd/vulnx/clis.Version={{.Version}} for release builds, matching the Version variable in cmd/vulnx/clis/version.go.

If you want version information in local builds, consider adding version ldflags to the Makefile's LDFLAGS variable (e.g., -X github.com/projectdiscovery/vulnx/cmd/vulnx/clis.Version=dev), but this is optional since release builds are properly handled.

cmd/integration-test/main.go (1)

57-65: Consider returning an error when tests fail.

The runIntegrationTests function always returns nil even when tests fail. This means the integration test process will exit with code 0 (success) even if tests fail.

♻️ Proposed fix

 func runIntegrationTests() error {
 	fmt.Println("Running Vulnx integration tests...")
+	var failedTests int
 	for testName, testcase := range testCases {
 		if err := testcase.Execute(); err != nil {
 			fmt.Fprintf(os.Stderr, "%s Vulnx Test \"%s\" failed: %s\n", failed, testName, err)
+			failedTests++
 		} else {
 			fmt.Printf("%s Vulnx Test \"%s\" passed!\n", success, testName)
 		}
 	}

+	if failedTests > 0 {
+		return fmt.Errorf("%d test(s) failed", failedTests)
+	}
 	return nil
 }

pkg/runner/runner.go (1)

223-226: Rename CvemapService to VulnxService for consistency with the vulnx branding effort.

The Runner struct and its methods currently use the old CvemapService name and service.Cvemap type, despite the service package file being renamed to vulnx.go. This inconsistency should be resolved by renaming:

• Field CvemapService → VulnxService (lines 225, 248)
• Type service.Cvemap → service.Vulnx (line 225)
• Constructor call service.NewCvemap() → service.NewVulnx() (line 242)
• All references throughout the file (lines 284, 291, 293)

This requires corresponding type and function renames in pkg/service/vulnx.go first.

pkg/tools/filters/filters.go (2)

28-31: Stale comment references "CVEMap API" instead of the new product name.

The comment on line 29 still says "CVEMap API" while the code has been renamed to vulnx. Consider updating to "vulnerability.sh API" or "vulnx API" for consistency with the rest of the rename.

Suggested fix

 // List retrieves the full list of vulnerability filter definitions from the
-// CVEMap API. It forwards the call to vulnx.Client.GetVulnerabilityFilters
+// vulnerability.sh API. It forwards the call to vulnx.Client.GetVulnerabilityFilters
 // using a background context.
 func (h *Handler) List() ([]vulnx.VulnerabilityFilter, error) {

---

43-54: Unused client parameter in MCPHandler.

The client *vulnx.Client parameter is never used inside the returned function—h.List() already uses the handler's internal h.client. This matches the pattern in other handlers (e.g., pkg/tools/id/id.go, pkg/tools/search/search.go) where the parameter appears to be part of a common interface signature but is unused when the handler already holds the client.

If this parameter is required by the MCPTool interface contract, consider adding a brief comment explaining why it exists but is unused. Otherwise, if the interface allows, remove it to avoid confusion.

cmd/vulnx/clis/id.go (1)

344-356: ID validation is minimal—consider adding CVE format validation.

The validateSingleID function only checks for empty strings and length bounds (3-50 characters). It doesn't validate the CVE format (e.g., CVE-YYYY-NNNN+). While the API will likely reject invalid IDs, client-side validation could provide faster feedback.

This is a pre-existing behavior, so not blocking for this rename PR.

cmd/vulnx/clis/common.go (1)

1034-1036: Self-referential comment is confusing.

The comment says "Format version status exactly like vulnx" but this code IS vulnx. This appears to be a remnant from when the code was comparing against another tool's format.

Suggested fix

-	// Format version status exactly like vulnx
+	// Format version status using standard ProjectDiscovery format
 	description := updateutils.GetVersionDescription(currentVersion, latestVersion)
 	gologger.Info().Msgf("Current vulnx version %s %s", currentVersion, description)

[cursor]

Cursor Bugbot has reviewed your changes and found 3 potential issues.

^{Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.}

This PR is being reviewed by Cursor Bugbot

Details

Your team is on the Bugbot Free tier. On this plan, Bugbot will review limited PRs each billing cycle for each member of your team.

To receive Bugbot reviews on all of your PRs, visit the Cursor dashboard to activate Pro and start your 14-day free trial.