Comprehensive databases of known FOSS software vulnerabilities are mostly proprietary and privately maintained. But these should be open data – they are, after all, about FOSS code.
“Using Components with Known Vulnerabilities” is one of the OWASP Top 10 Most Critical Web Application Security Risks. Identifying such vulnerable components is hindered by data structure and tools that are (1) designed primarily for proprietary software components and (2) incomplete and too dependent on voluntary submissions to the National Vulnerability Database. With the explosion of FOSS usage over the last decade, we need a new approach to efficiently identify FOSS security vulnerabilities, based on open data and FOSS tools.
With VulnerableCode, we are building FOSS tools to aggregate, correlate, and curate software component vulnerability data from multiple sources and automate the search for FOSS component security vulnerabilities.
The benefit: improved security of software applications with open tools and data for everyone.