VulnerableCode is a free and open database of open source software package vulnerabilities because open source software vulnerabilities data and tools should be free and open source themselves.

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for aboutcode-publisher from gravatar.com aboutcode-publisher Avatar for pombredanne from gravatar.com pombredanne Avatar for TG99 from gravatar.com TG99

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License: Apache-2.0 AND CC-BY-SA-4.0
  • Author: nexB. Inc. and others
  • Tags open source, vulnerability, security, cve, purl, packageurl, dependency, package, vulnerability-db, SBOM, sca
  • Requires: Python >=3.9
  • Provides-Extra: dev
Classifiers

Project description

Build Status Code License Data License Python 3.8+ stability-wip Gitter chat

VulnerableCode is a free and open database of open source software package vulnerabilities because open source software vulnerabilities data and tools should be free and open source themselves:

we are trying to change this and evolve the status quo in a few other areas!

  • Vulnerability databases have been traditionally proprietary even though they are mostly about free and open source software.

  • Vulnerability databases also often contain a lot of lesser value data which means a lot of false positive signals that require extensive expert reviews.

  • Vulnerability databases are also mostly about vulnerabilities first and software package second, making it difficult to find if and when a vulnerability applies to a piece of code. VulnerableCode focus is on software package first where a Package URL is a key and natural identifier for packages; this is making it easier to find a package and whether it is vulnerable.

Package URL themselves were designed first in ScanCode and VulnerableCode and are now a de-facto standard for vulnerability management and package references. See https://github.com/package-url/purl-spec

The VulnerableCode project is a FOSS community resource to help improve the security of the open source software ecosystem and its users at large.

VulnerableCode consists of a database and the tools to collect, refine and keep the database current.

Warning

VulnerableCode is under active development and is not yet fully usable.

Read more about VulnerableCode https://vulnerablecode.readthedocs.org/

VulnerableCode tech stack is Python, Django, PostgreSQL, nginx and Docker and several libraries.

Getting started

Run with Docker

First install docker, then run

git clone https://github.com/nexB/vulnerablecode.git && cd vulnerablecode
make envfile
docker compose build
docker compose up -d
docker compose run vulnerablecode ./manage.py import --list

Then run an importer for nginx advisories (which is small)

docker compose exec vulnerablecode ./manage.py import nginx_importer
docker compose exec vulnerablecode ./manage.py improve --all

At this point, the VulnerableCode app and API should be up and running with some data at http://localhost

Populate VulnerableCode database

VulnerableCode data collection works in two steps: importing data from multiple sources and then refining and improving how package and software vulnerabilities are related.

To run all importers and improvers use this

./manage.py import --all
./manage.py improve --all

Local development installation

On a Debian system, use this

sudo apt-get install  python3-venv python3-dev postgresql libpq-dev build-essential
git clone https://github.com/nexB/vulnerablecode.git && cd vulnerablecode
make dev envfile postgres
make test
source venv/bin/activate
./manage.py import nginx_importer
./manage.py improve --all
make run

At this point, the VulnerableCode app and API is up at http://127.0.0.1:8001/

License

Copyright (c) nexB Inc. and others. All rights reserved.

VulnerableCode is a trademark of nexB Inc.

SPDX-License-Identifier: Apache-2.0 AND CC-BY-SA-4.0

VulnerableCode software is licensed under the Apache License version 2.0.

VulnerableCode data is licensed collectively under CC-BY-SA-4.0.

See https://www.apache.org/licenses/LICENSE-2.0 for the license text.

See https://creativecommons.org/licenses/by-sa/4.0/legalcode for the license text.

See https://github.com/nexB/vulnerablecode for support or download.

See https://aboutcode.org for more information about nexB OSS projects.

Acknowledgements, Funding, Support and Sponsoring

This project is funded, supported and sponsored by:

  • Generous support and contributions from users like you!

  • the European Commission NGI programme

  • the NLnet Foundation

  • the Swiss State Secretariat for Education, Research and Innovation (SERI)

  • Google, including the Google Summer of Code and the Google Seasons of Doc programmes

  • Mercedes-Benz Group

  • Microsoft and Microsoft Azure

  • AboutCode ASBL

  • nexB Inc.

Europa logo EC DG Connect logo

NGI logo NLnet foundation logo

AboutCode logo nexB logo

This project was funded through the NGI0 PET Fund, a fund established by NLnet with financial support from the European Commission’s Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825310.

NGI Zero PET logo https://nlnet.nl/project/VulnerableCode/

This project was funded through the NGI0 Discovery Fund, a fund established by NLnet with financial support from the European Commission’s Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825322.

NGI Discovery logo https://nlnet.nl/project/vulnerabilitydatabase/

This project was funded through the NGI0 Core Fund, a fund established by NLnet with financial support from the European Commission’s Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101092990.

NGI Zero Core Logo https://nlnet.nl/project/VulnerableCode-enhancements/

This project is funded through the NGI0 Entrust Fund, a fund established by NLnet with financial support from the European Commission’s Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101069594.

NGI Zero Entrust logo https://nlnet.nl/project/FederatedSoftwareMetadata/

This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission’s Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI).

NGI Zero Commons Logo Swiss logo https://nlnet.nl/project/FederatedCodeNext/

This project was funded through the NGI0 Entrust Fund, a fund established by NLnet with financial support from the European Commission’s Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101069594.

NGI Zero Entrust logo https://nlnet.nl/project/CRAVEX/

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for aboutcode-publisher from gravatar.com aboutcode-publisher Avatar for pombredanne from gravatar.com pombredanne Avatar for TG99 from gravatar.com TG99

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License: Apache-2.0 AND CC-BY-SA-4.0
  • Author: nexB. Inc. and others
  • Tags open source, vulnerability, security, cve, purl, packageurl, dependency, package, vulnerability-db, SBOM, sca
  • Requires: Python >=3.9
  • Provides-Extra: dev
Classifiers

Release history Release notifications | RSS feed

35.0.0

This version

35.0.0rc1 pre-release

34.3.2

34.3.1

34.3.0

34.2.0

34.1.0

34.0.2

34.0.1

34.0.0

33.6.3

33.6.2

33.6.1

33.6.0

33.5.0

33.4.0

33.3.0

33.2.0

33.1.0

33.0.0

32.0.1

32.0.0

32.0.0rc4 pre-release

32.0.0rc3 pre-release

32.0.0rc2 pre-release

32.0.0rc1 pre-release

31.1.1

31.1.0

31.0.0

30.3.1

30.3.0

30.2.0

30.1.1

30.0.0

30.0.0rc6 pre-release

30.0.0rc5 pre-release

30.0.0rc1 pre-release

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

vulnerablecode-35.0.0rc1.tar.gz (12.7 MB view details)

Uploaded Source

Built Distribution

vulnerablecode-35.0.0rc1-py3-none-any.whl (2.3 MB view details)

Uploaded Python 3

File details

Details for the file vulnerablecode-35.0.0rc1.tar.gz.

File metadata

  • Download URL: vulnerablecode-35.0.0rc1.tar.gz
  • Upload date:
  • Size: 12.7 MB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/5.1.1 CPython/3.9.20

File hashes

Hashes for vulnerablecode-35.0.0rc1.tar.gz
Algorithm Hash digest
SHA256 634631c77a188346e7183fcaf4b993a38e5af8d0c77728f45ec71913dba7ee0a
MD5 6aa36defbca82774e3f8ec54fc4dcb4f
BLAKE2b-256 0f1d13f744b7683a33c99b2affe8720616a8a43e10a5910339fc7ba29b900e85

See more details on using hashes here.

File details

Details for the file vulnerablecode-35.0.0rc1-py3-none-any.whl.

File metadata

File hashes

Hashes for vulnerablecode-35.0.0rc1-py3-none-any.whl
Algorithm Hash digest
SHA256 a22ad2c3f334b230790bd267af06a8bc6c77bf831d9320e7f45a0ce06b175ae5
MD5 079ac95ed668a74ab2aaf631c877dc30
BLAKE2b-256 beae95247aa598c96015882dadbbe9fd34050d17affddeb745a0a4ceb5629bf1

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page