===============
VulnerableCode
===============
|Build Status| |Code License| |Data License| |Python 3.8+| |stability-wip| |Gitter chat|
.. |Build Status| image:: https://github.com/nexB/vulnerablecode/actions/workflows/main.yml/badge.svg?branch=main
:target: https://github.com/nexB/vulnerablecode/actions?query=workflow%3ACI
.. |Code License| image:: https://img.shields.io/badge/Code%20License-Apache--2.0-green.svg
:target: https://opensource.org/licenses/Apache-2.0
.. |Data License| image:: https://img.shields.io/badge/Data%20License-CC--BY--SA--4.0-green.svg
:target: https://creativecommons.org/licenses/by-sa/4.0/legalcode
.. |Python 3.8+| image:: https://img.shields.io/badge/python-3.8+-green.svg
:target: https://www.python.org/downloads/release/python-380/
.. |stability-wip| image:: https://img.shields.io/badge/stability-work_in_progress-lightgrey.svg
.. |Gitter chat| image:: https://badges.gitter.im/gitterHQ/gitter.png
:target: https://gitter.im/aboutcode-org/vulnerablecode
VulnerableCode is a free and open database of open source software package
vulnerabilities **because open source software vulnerabilities data and tools
should be free and open source themselves**:
we are trying to change this and evolve the status quo in a few other areas!
- Vulnerability databases have been **traditionally proprietary** even though they
are mostly about free and open source software.
- Vulnerability databases also often contain a lot of lesser value data which
means a lot of false positive signals that require extensive expert reviews.
- Vulnerability databases are also mostly about vulnerabilities first and software
package second, making it difficult to find if and when a vulnerability applies
to a piece of code. VulnerableCode focus is on software package first where
a Package URL is a key and natural identifier for packages; this is making it
easier to find a package and whether it is vulnerable.
Package URL themselves were designed first in ScanCode and VulnerableCode
and are now a de-facto standard for vulnerability management and package references.
See https://github.com/package-url/purl-spec
The VulnerableCode project is a FOSS community resource to help improve the
security of the open source software ecosystem and its users at large.
VulnerableCode consists of a database and the tools to collect, refine and keep
the database current.
.. warning::
VulnerableCode is under active development and is not yet fully
usable.
Read more about VulnerableCode https://vulnerablecode.readthedocs.org/
VulnerableCode is financially supported by NLnet, nexB, Google (through the
GSoC) and the active contributions of several volunteers.
VulnerableCode tech stack is Python, Django, PostgreSQL, nginx and Docker and
several libraries.
Getting started
---------------
Run with Docker
^^^^^^^^^^^^^^^^
First install docker and docker-compose, then run::
git clone https://github.com/nexB/vulnerablecode.git && cd vulnerablecode
make envfile
docker-compose build
docker-compose up -d
docker-compose run vulnerablecode ./manage.py import --list
Then run an importer for nginx advisories (which is small)::
docker-compose exec vulnerablecode ./manage.py import vulnerabilities.importers.nginx.NginxImporter
docker-compose exec vulnerablecode ./manage.py improve --all
At this point, the VulnerableCode app and API should be up and running with
some data at http://localhost
Populate VulnerableCode database
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
VulnerableCode data collection works in two steps: importing data from multiple
sources and then refining and improving how package and software vulnerabilities
are related.
To run all importers and improvers use this::
./manage.py import --all
./manage.py improve --all
Local development installation
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
On a Debian system, use this::
sudo apt-get install python3-venv python3-dev postgresql libpq-dev build-essential
git clone https://github.com/nexB/vulnerablecode.git && cd vulnerablecode
make dev envfile postgres
make test
source venv/bin/activate
./manage.py import vulnerabilities.importers.nginx.NginxImporter
./manage.py improve --all
make run
At this point, the VulnerableCode app and API is up at http://127.0.0.1:8001/
Interface
^^^^^^^^^^
VulnerableCode comes with a minimal web UI:
.. image:: vulnerablecode-ui.png
And a JSON API and its minimal web documentation:
.. image:: vulnerablecode-json-api.png
.. image:: vulnerablecode-api-doc.png
License
^^^^^^^^^^
Copyright (c) nexB Inc. and others. All rights reserved.
VulnerableCode is a trademark of nexB Inc.
SPDX-License-Identifier: Apache-2.0 AND CC-BY-SA-4.0
VulnerableCode software is licensed under the Apache License version 2.0.
VulnerableCode data is licensed collectively under CC-BY-SA-4.0.
See https://www.apache.org/licenses/LICENSE-2.0 for the license text.
See https://creativecommons.org/licenses/by-sa/4.0/legalcode for the license text.
See https://github.com/nexB/vulnerablecode for support or download.
See https://aboutcode.org for more information about nexB OSS projects.
Acknowledgements
^^^^^^^^^^^^^^^^
This project was funded through the NGI0 PET Fund, a fund established by
NLnet with financial support from the European Commission's Next Generation
Internet programme, under the aegis of DG Communications Networks, Content
and Technology under grant agreement No 825310.
https://nlnet.nl/project/VulnerableCode/
This project was funded through the NGI0 Discovery Fund, a fund established
by NLnet with financial support from the European Commission's Next Generation
Internet programme, under the aegis of DG Communications Networks, Content
and Technology under grant agreement No 825322.
https://nlnet.nl/project/vulnerabilitydatabase/
Raw data
{
"_id": null,
"home_page": "https://github.com/nexB/vulnerablecode",
"name": "vulnerablecode",
"maintainer": "",
"docs_url": null,
"requires_python": ">=3.8",
"maintainer_email": "",
"keywords": "open source,vulnerability,security,cve,purl,packageurl,dependency,package,vulnerability-db,SBOM,sca",
"author": "nexB. Inc. and others",
"author_email": "info@aboutcode.org",
"download_url": "https://files.pythonhosted.org/packages/5a/19/1049f63fca58e5bbc41c3df9486ef3c611b15eeadb8fc23d80151c54ebd7/vulnerablecode-33.6.3.tar.gz",
"platform": null,
"description": "===============\nVulnerableCode\n===============\n\n|Build Status| |Code License| |Data License| |Python 3.8+| |stability-wip| |Gitter chat|\n\n\n.. |Build Status| image:: https://github.com/nexB/vulnerablecode/actions/workflows/main.yml/badge.svg?branch=main\n :target: https://github.com/nexB/vulnerablecode/actions?query=workflow%3ACI\n.. |Code License| image:: https://img.shields.io/badge/Code%20License-Apache--2.0-green.svg\n :target: https://opensource.org/licenses/Apache-2.0\n.. |Data License| image:: https://img.shields.io/badge/Data%20License-CC--BY--SA--4.0-green.svg\n :target: https://creativecommons.org/licenses/by-sa/4.0/legalcode \n.. |Python 3.8+| image:: https://img.shields.io/badge/python-3.8+-green.svg\n :target: https://www.python.org/downloads/release/python-380/\n.. |stability-wip| image:: https://img.shields.io/badge/stability-work_in_progress-lightgrey.svg\n.. |Gitter chat| image:: https://badges.gitter.im/gitterHQ/gitter.png\n :target: https://gitter.im/aboutcode-org/vulnerablecode\n\n\nVulnerableCode is a free and open database of open source software package\nvulnerabilities **because open source software vulnerabilities data and tools\nshould be free and open source themselves**:\n\nwe are trying to change this and evolve the status quo in a few other areas!\n\n- Vulnerability databases have been **traditionally proprietary** even though they\n are mostly about free and open source software. \n\n- Vulnerability databases also often contain a lot of lesser value data which\n means a lot of false positive signals that require extensive expert reviews.\n\n- Vulnerability databases are also mostly about vulnerabilities first and software\n package second, making it difficult to find if and when a vulnerability applies\n to a piece of code. VulnerableCode focus is on software package first where\n a Package URL is a key and natural identifier for packages; this is making it\n easier to find a package and whether it is vulnerable.\n\nPackage URL themselves were designed first in ScanCode and VulnerableCode\nand are now a de-facto standard for vulnerability management and package references.\n\nSee https://github.com/package-url/purl-spec\n\nThe VulnerableCode project is a FOSS community resource to help improve the\nsecurity of the open source software ecosystem and its users at large.\n\nVulnerableCode consists of a database and the tools to collect, refine and keep\nthe database current. \n\n.. warning::\n VulnerableCode is under active development and is not yet fully\n usable.\n\nRead more about VulnerableCode https://vulnerablecode.readthedocs.org/\n\nVulnerableCode is financially supported by NLnet, nexB, Google (through the\nGSoC) and the active contributions of several volunteers.\n\nVulnerableCode tech stack is Python, Django, PostgreSQL, nginx and Docker and\nseveral libraries.\n\n\nGetting started\n---------------\n\nRun with Docker\n^^^^^^^^^^^^^^^^\n\nFirst install docker and docker-compose, then run::\n\n git clone https://github.com/nexB/vulnerablecode.git && cd vulnerablecode\n make envfile\n docker-compose build\n docker-compose up -d\n docker-compose run vulnerablecode ./manage.py import --list\n\nThen run an importer for nginx advisories (which is small)::\n\n docker-compose exec vulnerablecode ./manage.py import vulnerabilities.importers.nginx.NginxImporter\n docker-compose exec vulnerablecode ./manage.py improve --all\n\nAt this point, the VulnerableCode app and API should be up and running with\nsome data at http://localhost\n\n\nPopulate VulnerableCode database\n^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n\nVulnerableCode data collection works in two steps: importing data from multiple\nsources and then refining and improving how package and software vulnerabilities\nare related.\n\nTo run all importers and improvers use this::\n\n ./manage.py import --all\n ./manage.py improve --all\n\n\nLocal development installation\n^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n\nOn a Debian system, use this::\n\n sudo apt-get install python3-venv python3-dev postgresql libpq-dev build-essential\n git clone https://github.com/nexB/vulnerablecode.git && cd vulnerablecode\n make dev envfile postgres\n make test\n source venv/bin/activate\n ./manage.py import vulnerabilities.importers.nginx.NginxImporter\n ./manage.py improve --all\n make run\n\nAt this point, the VulnerableCode app and API is up at http://127.0.0.1:8001/\n\nInterface\n^^^^^^^^^^\n\n\nVulnerableCode comes with a minimal web UI:\n\n.. image:: vulnerablecode-ui.png\n\nAnd a JSON API and its minimal web documentation:\n\n.. image:: vulnerablecode-json-api.png\n.. image:: vulnerablecode-api-doc.png\n\n\nLicense\n^^^^^^^^^^\n\nCopyright (c) nexB Inc. and others. All rights reserved.\n\nVulnerableCode is a trademark of nexB Inc.\n\nSPDX-License-Identifier: Apache-2.0 AND CC-BY-SA-4.0\n\nVulnerableCode software is licensed under the Apache License version 2.0.\n\nVulnerableCode data is licensed collectively under CC-BY-SA-4.0.\n\nSee https://www.apache.org/licenses/LICENSE-2.0 for the license text.\n\nSee https://creativecommons.org/licenses/by-sa/4.0/legalcode for the license text.\n\nSee https://github.com/nexB/vulnerablecode for support or download. \n\nSee https://aboutcode.org for more information about nexB OSS projects.\n\nAcknowledgements\n^^^^^^^^^^^^^^^^\n\nThis project was funded through the NGI0 PET Fund, a fund established by\nNLnet with financial support from the European Commission's Next Generation\nInternet programme, under the aegis of DG Communications Networks, Content\nand Technology under grant agreement No 825310.\n\nhttps://nlnet.nl/project/VulnerableCode/\n\nThis project was funded through the NGI0 Discovery Fund, a fund established\nby NLnet with financial support from the European Commission's Next Generation\nInternet programme, under the aegis of DG Communications Networks, Content\nand Technology under grant agreement No 825322.\n\nhttps://nlnet.nl/project/vulnerabilitydatabase/\n",
"bugtrack_url": null,
"license": "Apache-2.0 AND CC-BY-SA-4.0",
"summary": "VulnerableCode is a free and open database of open source software package vulnerabilities because open source software vulnerabilities data and tools should be free and open source themselves.",
"version": "33.6.3",
"project_urls": {
"Homepage": "https://github.com/nexB/vulnerablecode"
},
"split_keywords": [
"open source",
"vulnerability",
"security",
"cve",
"purl",
"packageurl",
"dependency",
"package",
"vulnerability-db",
"sbom",
"sca"
],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "77ad9ac9829d7c2388eee4ffbc077a7374b6534f1e7e570136509bbb35e871f6",
"md5": "96fb00830d4f7d222f17e1cb0d59878f",
"sha256": "8b5544df7507abd829ae1ac07af25f1fd8cdfd0ee37031063ae45e6ba21155e7"
},
"downloads": -1,
"filename": "vulnerablecode-33.6.3-py3-none-any.whl",
"has_sig": false,
"md5_digest": "96fb00830d4f7d222f17e1cb0d59878f",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": ">=3.8",
"size": 2097747,
"upload_time": "2023-11-27T07:18:27",
"upload_time_iso_8601": "2023-11-27T07:18:27.163707Z",
"url": "https://files.pythonhosted.org/packages/77/ad/9ac9829d7c2388eee4ffbc077a7374b6534f1e7e570136509bbb35e871f6/vulnerablecode-33.6.3-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": "",
"digests": {
"blake2b_256": "5a191049f63fca58e5bbc41c3df9486ef3c611b15eeadb8fc23d80151c54ebd7",
"md5": "b70968f01ac15f2712406b73fbc48fd8",
"sha256": "17ba1c63d08b7fcd4123a6bb1089e2598baffa16d75202ca96cb70e47b08aaf0"
},
"downloads": -1,
"filename": "vulnerablecode-33.6.3.tar.gz",
"has_sig": false,
"md5_digest": "b70968f01ac15f2712406b73fbc48fd8",
"packagetype": "sdist",
"python_version": "source",
"requires_python": ">=3.8",
"size": 16465272,
"upload_time": "2023-11-27T07:18:30",
"upload_time_iso_8601": "2023-11-27T07:18:30.098258Z",
"url": "https://files.pythonhosted.org/packages/5a/19/1049f63fca58e5bbc41c3df9486ef3c611b15eeadb8fc23d80151c54ebd7/vulnerablecode-33.6.3.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2023-11-27 07:18:30",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "nexB",
"github_project": "vulnerablecode",
"travis_ci": false,
"coveralls": false,
"github_actions": true,
"requirements": [],
"lcname": "vulnerablecode"
}
JSON
