VulnerableCode is a FOSS tool to automate search for FOSS security vulnerabilities.
By collecting and parsing data from many sources, identifying packages using a standardized package-url, and accessing the data through a REST API, VulnerableCode addresses key security concerns for using FOSS code in modern applications.
VulnerableCode is a FOSS tool to automate search for FOSS security vulnerabilities.
By collecting and parsing data from many sources, identifying packages using a standardized package-url, and accessing the data through a REST API, VulnerableCode addresses key security concerns for using FOSS code in modern applications.
With VulnerableCode, we are building FOSS tools to aggregate, correlate, and curate software component vulnerability data from multiple sources and automate the search for FOSS component security vulnerabilities.
Databases of known FOSS software vulnerabilities are mostly proprietary and privately maintained, so identifying vulnerable components is hindered by data structures and tools that are:
The explosion of FOSS usage across industries requires a new approach to efficiently identify FOSS security vulnerabilities, based on open data and FOSS tools.
The benefit: improved security of software applications with open tools and data for everyone.
See detailed information<br/ >on vulnerability data with
reference IDs and URLs
Includes security advisories published by Linux and BSD distributions, application software package managers and package repositories, FOSS projects, GitHub and more
Focused on specific ecosystems, but aggregated in a single database to query a richer graph of relations between multiple versions of a package
Specificity increases the accuracy and validity of the data as the same version of an upstream package across different ecosystems may or may not be vulnerable to the same vulnerability
Supports decentralized data re-creation, using tools that can detect and report FOSS packages using a package-url
Use a package-url (purl) to reliably identify, locate, and provision software packages across different tools, programming languages, package managers, packaging conventions, APIs, and databases
Replaces the complexity of differing conventions and protocols for each individual package manager, platform, type, and ecosystem with universal and uniform approach
Adopted by OWASP, ORT, CycloneDX, SPDX, ScanCode and more (and under consideration by the US NTIA as CPE replacement)
Quickly identify packages
with known vulnerabilities
Leverage any tool that can detect and report FOSS packages using a package-url
Actively developing a prototype discovery of new correlations between vulnerabilities and software packages from mining the graph
scancode-licensedb is a data repository of over 1700 licenses detected by ScanCode
package-url is the emerging standard for identifying software packages
container-inspector is a suite of analysis tools for Docker images, OCI images and Dockerfiles
license_expression is a utility to parse, normalize and compare license expressions (SPDX)
The fastest way to see VulnerableCode in action is to sign for a free DejaCode account. DejaCode is the complete enterprise-level open source license compliance application, powered by ScanCode:
Run scans and track all the open source and third-party products and components used in your software.
Define usage policies at the license or component level, and integrate into ScanCode to ensure compliance.
Capture software inventories (SBOMs), generate compliance artifacts, and keep historical data.
Manage organizational complexity with enterprise-grade features and integrations for DevOps and software systems.
