Identifying software components with security vulnerabilities is too expensive and difficult because:
- Vulnerability databases are generally proprietary even though they are mostly about free and open source software.
- Vulnerability databases often contain a lot of low value data which means a lot of false positive signals that require extensive expert reviews.
- Vulnerability databases are also mostly about vulnerabilities first and software packages second. This makes it difficult to find if and how a vulnerability applies to a piece of code. The VulnerableCode focus is on software packages first where a Package URL is a key and natural identifier for packages;
Simply put, VulnerableCode makes it easier to find a package and determine whether it is vulnerable.
VulnerableCode currently provides tools to collect, aggregate and refine software vulnerability information from more than 20 sources and tools to quickly create new “importers”. Some prominent sources include the NVD, Debian, GitHub, npmjs, Red Hat and RubyGems. We are actively developing a VulnerableCode.io module to provide a comprehensive UI, REST API and database for VulnerableCode.
The first phase of VulnerableCode development was supported by the NLNet Foundation.