Why Is There No Free Software Vulnerability Database? This was the provocative question we were asking two years ago when first introducing the VulnerableCode FOSS project.
The situation has evolved positively since then — in particular thanks to the creation of the Open Source Security Foundation and the Open Source Vulnerability (OSV) project and schema.
Yet the question is still relevant as there is still no comprehensive aggregated vulnerabilities database that would cover most system and application package ecosystems. There are also continuous looming concerns about the licensing of vulnerability feeds and how to best share and curate vulnerability data.
In this video, Hritik and Tushar will present the state of the open vulnerability databases and how new designs and models that are not centered on vulnerabilities can help software and security professionals assert faster, more efficiently and with less noise if their FOSS software packages are subject to vulnerabilities.
They will also review some new and innovative techniques deployed in VulnerableCode to mine more effectively open source vulnerabilities including “time travel”, “log mining” or “range expansion” to produce better focused vulnerability information.
Video
Slides
Ready to get started with VulnerableCode?
- Download VulnerableCode
- Learn more about VulnerableCode at nexb.com/vulnerablecode
