Why Is There No Free Software Vulnerability Database? from OSS Summit 2020

Something is not right: comprehensive databases of known FOSS software vulnerabilities are mostly proprietary and privately maintainer. Why could not these be open data instead? They are after all about FOSS code.

“Using Components with Known Vulnerabilities” is one of the OWASP Top 10 Most Critical Web Application Security Risks. Identifying such vulnerable components is currently hindered by data structure and tools that are (1) designed primarily for proprietary software components and (2) incomplete and too dependent on voluntary submissions to the National Vulnerability Database. With the explosion of FOSS usage over the last decade we need a new approach to efficiently identify FOSS security vulnerabilities. And that approach should be based on open data and FOSS tools.

Watch this video to find how we are working to build new FOSS tools to aggregate, relate together and curate software component vulnerability data from multiple sources and automate the search for FOSS component security vulnerabilities.

The benefit is the improved security of software applications with open tools and data for everyone.

Share on LinkedIn
Share on Twitter
Share via Email
Share on Reddit

Related posts

Ensuring software license compliance can be difficult.

We can help.

Ready to start scanning your code?

Need to automate FOSS compliance?