We’ve shipped VulnerableCode v31 with many improvements to help you find FOSS vulnerabilities and improve overall FOSS security:
VulnTotal: Expanding the vulnerability coverage of VulnerableCode
Inspired by the VirusTotal multi-scanner virus scanning service, VulnTotal cross-validates the vulnerability coverage of VulnerableCode against other publicly available vulnerability checking tools and databases (#1009). For instance, a package may be reported as vulnerable by one tool or database but not by another. We can gradually work with these tool providers to keep each other apprised about newly discovered vulnerabilities, making FOSS more secure.
Special thanks to Keshav Priyadarshi for working on VulnTotal during GSOC 2022!
Improved support for calculating CVSS
Common Vulnerability Scoring System (CVSS) is a well-recognized and widely-used industry standard to rate the severity of software vulnerabilities. In VulnerableCode v31, we changed how we calculate and store CVSS scores from the given CVSS vector (#747).
More data sources added
VulnerableCode v30 included several updates to enhance the aggregation, correlation, and curation of software component vulnerability data from multiple sources. v31 continues this work by adding more data sources including GitHub (#804), GitLab (#883) and OSS-Index (#829).
For more information on all of the updates in VulnerableCode v31, please see the changelog on GitHub.
VulnerableCode is publicly available, as a free and open database of open source software package vulnerabilities. VulnerableCode.io provides a comprehensive UI, a REST API and a database for the VulnerableCode project. Visit public.vulnerablecode.io for direct UI access.
If you want to create your own VulnerableCode database, read the docs on how to install VulnerableCode locally. We recommend running VulnerableCode with Docker to guarantee the availability of all features with the minimum configuration required, but you can also install VulnerableCode locally as a development server with some limitations.
Want to learn more? Watch this video with nexB co-founder and CTO Philippe Ombredanne explaining VulnerableCode along with a technical deep dive.