vulnerablecode

VulnerableCode is a free and open database of open source software package vulnerabilities because open source software vulnerabilities data and tools should be free and open source themselves.

These details have not been verified by PyPI

Project links

Homepage

Project description

stability-wip

VulnerableCode is a free and open database of open source software package vulnerabilities because open source software vulnerabilities data and tools should be free and open source themselves:

we are trying to change this and evolve the status quo in a few other areas!

Vulnerability databases have been traditionally proprietary even though they are mostly about free and open source software.
Vulnerability databases also often contain a lot of lesser value data which means a lot of false positive signals that require extensive expert reviews.
Vulnerability databases are also mostly about vulnerabilities first and software package second, making it difficult to find if and when a vulnerability applies to a piece of code. VulnerableCode focus is on software package first where a Package URL is a key and natural identifier for packages; this is making it easier to find a package and whether it is vulnerable.

Package URL themselves were designed first in ScanCode and VulnerableCode and are now a de-facto standard for vulnerability management and package references.

See https://github.com/package-url/purl-spec

The VulnerableCode project is a FOSS community resource to help improve the security of the open source software ecosystem and its users at large.

VulnerableCode consists of a database and the tools to collect, refine and keep the database current.

Read more about VulnerableCode https://vulnerablecode.readthedocs.org/

VulnerableCode is financially supported by NLnet, nexB, Google (through the GSoC) and the active contributions of several volunteers.

VulnerableCode tech stack is Python, Django, PostgreSQL, nginx and Docker and several libraries.

Getting started

Run with Docker

First install docker and docker-compose, then run:

git clone https://github.com/nexB/vulnerablecode.git && cd vulnerablecode
make envfile
docker-compose build
docker-compose up -d
docker-compose run vulnerablecode ./manage.py import --list

Then run an importer for nginx advisories (which is small):

docker-compose exec vulnerablecode ./manage.py import vulnerabilities.importers.nginx.NginxImporter
docker-compose exec vulnerablecode ./manage.py improve --all

At this point, the VulnerableCode app and API should be up and running with some data at http://localhost

Populate VulnerableCode database

VulnerableCode data collection works in two steps: importing data from multiple sources and then refining and improving how package and software vulnerabilities are related.

To run all importers and improvers use this:

./manage.py import --all
./manage.py improve --all

Local development installation

On a Debian system, use this:

sudo apt-get install  python3-venv python3-dev postgresql libpq-dev build-essential
git clone https://github.com/nexB/vulnerablecode.git && cd vulnerablecode
make dev envfile postgres
make test
./manage.py import vulnerabilities.importers.nginx.NginxImporter
./manage.py improve --all
make run

At this point, the VulnerableCode app and API is up at http://127.0.0.1:8001/

Interface

VulnerableCode comes with a minimal web UI:

And a JSON API and its minimal web documentation:

License

VulnerableCode is a trademark of nexB Inc.

SPDX-License-Identifier: Apache-2.0 AND CC-BY-SA-4.0

VulnerableCode software is licensed under the Apache License version 2.0.

VulnerableCode data is licensed collectively under CC-BY-SA-4.0.

See https://www.apache.org/licenses/LICENSE-2.0 for the license text.

See https://creativecommons.org/licenses/by-sa/4.0/legalcode for the license text.

See https://github.com/nexB/vulnerablecode for support or download.

See https://aboutcode.org for more information about nexB OSS projects.

Project details

These details have not been verified by PyPI

Project links

Homepage

Release history Release notifications | RSS feed

34.1.0

Nov 8, 2024

34.0.2

Oct 7, 2024

34.0.1

Sep 18, 2024

34.0.0

Aug 23, 2024

33.6.3

Nov 27, 2023

33.6.2

Nov 7, 2023

33.6.1

Sep 22, 2023

33.6.0

Sep 21, 2023

33.5.0

Sep 18, 2023

33.4.0

Aug 23, 2023

33.3.0

Aug 3, 2023

33.2.0

Jul 24, 2023

33.1.0

Jul 21, 2023

33.0.0

Jul 5, 2023

32.0.1

May 15, 2023

32.0.0

Apr 21, 2023

This version

32.0.0rc4 pre-release

Mar 29, 2023

32.0.0rc3 pre-release

Feb 10, 2023

32.0.0rc2 pre-release

Jan 25, 2023

32.0.0rc1 pre-release

Jan 25, 2023

31.1.1

Jan 9, 2023

31.1.0

Jan 2, 2023

31.0.0

Nov 28, 2022

30.3.1

Nov 9, 2022

30.3.0

Nov 8, 2022

30.2.0

Oct 20, 2022

30.1.1

Oct 17, 2022

30.0.0

Oct 3, 2022

30.0.0rc6 pre-release

Sep 9, 2022

30.0.0rc5 pre-release

Sep 9, 2022

30.0.0rc1 pre-release

Jun 22, 2022

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

vulnerablecode-32.0.0rc4.tar.gz (15.8 MB view hashes)

Uploaded Mar 29, 2023 Source

Built Distribution

vulnerablecode-32.0.0rc4-py3-none-any.whl (2.1 MB view hashes)

Uploaded Mar 29, 2023 Python 3

Hashes for vulnerablecode-32.0.0rc4.tar.gz

Hashes for vulnerablecode-32.0.0rc4.tar.gz
Algorithm	Hash digest
SHA256	`f83e77845b58f9550cd14b10d1deca1357b507227e6693c2f5c0f13e6d663883`
MD5	`ef7547ff274e3d1c2e05b142f95eb775`
BLAKE2b-256	`6f72887104ced99bee3c9c5a2ec4512e0883b3a0ef272441582c7dc952ed7cb2`

Hashes for vulnerablecode-32.0.0rc4-py3-none-any.whl

Hashes for vulnerablecode-32.0.0rc4-py3-none-any.whl
Algorithm	Hash digest
SHA256	`bc5bdc5f2adb8d9ba0a9cb8ae5c85f0a35ca033c294c77a121155b671a9d3c37`
MD5	`8b382408c7c0263f85252776a2c5a047`
BLAKE2b-256	`173c2ff6d8d24403fac41bd99b1fc29d07baf015310dfeaff0c25d76c2605a7e`