Open Collective
Open Collective
Loading

VulnerableCode

PROJECT
Part of: AboutCode

Open source tools for software vulnerability reporting

About


 Identifying software components with security vulnerabilities is too expensive and difficult because:
  • Vulnerability databases are generally proprietary even though they are mostly about free and open source software.
  • Vulnerability databases often contain a lot of low value data which means a lot of false positive signals that require extensive expert reviews.
  • Vulnerability databases are also mostly about vulnerabilities first and software packages second. This makes it difficult to find if and how a vulnerability applies to a piece of code. The VulnerableCode focus is on software packages first where a Package URL is a key and natural identifier for packages.
Simply put, VulnerableCode makes it easier to find a package and determine whether it is vulnerable.

VulnerableCode currently provides tools to collect, aggregate and refine software vulnerability information from more than 20 sources and tools to quickly create new “importers”. Some prominent sources include the NVD, Debian, GitHub, npmjs, Red Hat and RubyGems. We are actively developing a VulnerableCode.io module to provide a comprehensive UI, REST API and database for VulnerableCode.

VulnerableCode development is supported by nexB and the NLNet Foundation.

Our team

Contribute


Become a financial contributor.

Financial Contributions

Custom contribution
Donation
Make a custom one-time or recurring contribution.