Identifying software components with security vulnerabilities is currently hindered by data structure and tools that are (1) designed primarily for commercial/proprietary software components and (2) too dependent on CVEs from the National Vulnerability Database (from US Dept. of Commerce). With the explosion of Free and Open Source Software (FOSS) usage over the last decade, we need a new approach in order to efficiently identify security vulnerabilities.
We believe that this new approach should be based on open data and FOSS tools. The goal of the VulnerableCode project is to create new FOSS tools to:
- Aggregate software component vulnerability data from multiple sources,
- Organize that data with a new standard package identifier (Package URL or PURL - https://github.com/package-url/purl-spec), and
- Automate the search for FOSS component security vulnerabilities.
The expected benefits are to improve the security of software applications with open tools and data available to everyone without dependence on a single governmental data source or a few commercial data providers.
VulnerableCode is an early stage project supported by the NLNet Foundation.