VulnerableCode v31 expands vulnerability coverage

We’ve shipped VulnerableCode v31 with many improvements to help you find FOSS vulnerabilities and improve overall FOSS security:

VulnTotal: Expanding the vulnerability coverage of VulnerableCode

Inspired by the VirusTotal multi-scanner virus scanning service, VulnTotal cross-validates the vulnerability coverage of VulnerableCode against other publicly available vulnerability checking tools and databases (#1009). For instance, a package may be reported as vulnerable by one tool or database but not by another. We can gradually work with these tool providers to keep each other apprised about newly discovered vulnerabilities, making FOSS more secure.

Special thanks to Keshav Priyadarshi for working on VulnTotal during GSOC 2022!

Improved support for calculating CVSS

Common Vulnerability Scoring System (CVSS) is a well-recognized and widely-used industry standard to rate the severity of software vulnerabilities. In VulnerableCode v31, we changed how we calculate and store CVSS scores from the given CVSS vector (#747).

More data sources added

VulnerableCode v30 included several updates to enhance the aggregation, correlation, and curation of software component vulnerability data from multiple sources. v31 continues this work by adding more data sources including GitHub (#804), GitLab (#883) and OSS-Index (#829).

Changelog

For more information on all of the updates in VulnerableCode v31, please see the changelog on GitHub.

Run VulnerableCode

VulnerableCode is publicly available, as a free and open database of open source software package vulnerabilities. VulnerableCode.io provides a comprehensive UI, a REST API and a database for the VulnerableCode project. Visit public.vulnerablecode.io for direct UI access.

If you want to create your own VulnerableCode database, read the docs on how to install VulnerableCode locally. We recommend running VulnerableCode with Docker to guarantee the availability of all features with the minimum configuration required, but you can also install VulnerableCode locally as a development server with some limitations.

Want to learn more? Watch this video with nexB co-founder and CTO Philippe Ombredanne explaining VulnerableCode along with a technical deep dive.

Share on LinkedIn
Share on Twitter
Share via Email
Share on Reddit

Related posts

Ensuring software license compliance can be difficult.

We can help.

Ready to start scanning your code?

Need to automate FOSS compliance?