vulnerablecode 38.3.0

VulnerableCode is a free and open database of open source software package vulnerabilities because open source software vulnerabilities data and tools should be free and open source themselves.

VulnerableCode is a database of software package vulnerabilities with Web UI and API.

Why Use VulnerableCode?

VulnerableCode provides a Web UI and API to access a database of known software package vulnerabilities with comprehensive information from upstream and downstream public sources including packages affected by a vulnerability and packages that fix a vulnerability.

There is a public VulnerableCode database and the project also provides the tools to build your own instance of the database.

Getting Started

Instructions to get you up and running on your local machine are at Getting Started

The VulnerableCode documentation also provides:

• prerequisites for installing the software.

• an introduction to the user interface.

• how to use the API.

• tutorials for adding new pipelines to import and improve advisories.

• extensive reference information about VulnerableCode data.

• guidelines for contributing to code development.

Build and tests status

Benefits of VulnerableCode

VulnerableCode is a free and open database of open source software package vulnerabilities because open source software vulnerability data and tools should be free and open source themselves.

• Vulnerability databases have been traditionally proprietary even though they are mostly about free and open source software.

• Vulnerability databases also often contain a lot of lesser value data which means a lot of false positive signals that require extensive expert reviews.

• Vulnerability databases are also mostly about vulnerabilities first and software packages second, making it difficult to find if and when a vulnerability applies to a piece of code. VulnerableCode’s focus is on software packages first where a Package URL (PURL) is a key and natural identifier for packages; this makes it easier to find a package and whether it is vulnerable.

PURLs were designed initially for ScanCode and VulnerableCode. PURL is now a standard for vulnerability management and package references.

The VulnerableCode tech stack is Python, Django, PostgreSQL, nginx and Docker and several libraries.

Support

If you have a specific problem, suggestion or bug, please submit a GitHub issue.

For quick questions or socializing, join the AboutCode community discussions on Slack.

Interested in commercial suppport? Contact the AboutCode team.

License

• Apache-2.0 is the overall license.

• CC-BY-SA-4.0 applies to reference datasets.

• There are multiple secondary permissive or copyleft licenses (LGPL, MIT, BSD, GPL 2/3, etc.) for third-party components and test suite code and data.

Acknowledgements, Funding, Support and Sponsoring

This project is funded, supported and sponsored by:

• Generous support and contributions from users like you!

• the European Commission NGI programme

• the NLnet Foundation

• the Swiss State Secretariat for Education, Research and Innovation (SERI)

• Google, including the Google Summer of Code and the Google Seasons of Doc programmes

• Mercedes-Benz Group

• Microsoft and Microsoft Azure

• AboutCode ASBL

• nexB Inc.

This project was funded through the NGI0 PET Fund, a fund established by NLnet with financial support from the European Commission’s Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825310.

https://nlnet.nl/project/VulnerableCode/

This project was funded through the NGI0 Discovery Fund, a fund established by NLnet with financial support from the European Commission’s Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825322.

https://nlnet.nl/project/vulnerabilitydatabase/

This project was funded through the NGI0 Core Fund, a fund established by NLnet with financial support from the European Commission’s Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101092990.

https://nlnet.nl/project/VulnerableCode-enhancements/

This project is funded through the NGI0 Entrust Fund, a fund established by NLnet with financial support from the European Commission’s Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101069594.

https://nlnet.nl/project/FederatedSoftwareMetadata/

This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission’s Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI).

https://nlnet.nl/project/FederatedCodeNext/

This project was funded through the NGI0 Entrust Fund, a fund established by NLnet with financial support from the European Commission’s Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101069594.

https://nlnet.nl/project/CRAVEX/