Find FOSS vulnerabilities,
improve FOSS security.

VulnerableCode is a FOSS tool to automate search for FOSS security vulnerabilities.

By collecting and parsing data from many sources, identifying packages using a standardized package-url, and accessing the data through a REST API, VulnerableCode addresses key security concerns for using FOSS code in modern applications.

VulnerableCode is a free and open database of FOSS package vulnerabilities.

With VulnerableCode, we are building FOSS tools to aggregate, correlate, and curate software component vulnerability data from multiple sources and automate the search for FOSS component security vulnerabilities.

❌ Databases of known FOSS software vulnerabilities are mostly proprietary and privately maintained, so identifying vulnerable components is hindered by data structures and tools that are:

  • Designed for proprietary software components,
  • Not comprehensive, and
  • Dependent on voluntary submissions to the National Vulnerability Database.

 The explosion of FOSS usage across industries requires a new approach to efficiently identify FOSS security vulnerabilities, based on open data and FOSS tools.

The benefit: improved security of software applications with open tools and data for everyone.

See detailed information<br/ >on vulnerability data with
reference IDs and URLs

Aggregate vulnerability data across data sources

Includes security advisories published by Linux and BSD distributions, application software package managers and package repositories, FOSS projects, GitHub and more

 Focused on specific ecosystems, but aggregated in a single database to query a richer graph of relations between multiple versions of a package

 Specificity increases the accuracy and validity of the data as the same version of an upstream package across different ecosystems may or may not be vulnerable to the same vulnerability

 Supports decentralized data re-creation, using tools that can detect and report FOSS packages using a package-url

Organize data with a standardized package identifier

 Use a package-url (purl) to reliably identify, locate, and provision software packages across different tools, programming languages, package managers, packaging conventions, APIs, and databases

 Replaces the complexity of differing conventions and protocols for each individual package manager, platform, type, and ecosystem with universal and uniform approach

Adopted by OWASP, ORT, CycloneDX, SPDX, ScanCode and more (and under consideration by the US NTIA as CPE replacement)

Quickly identify packages
with known vulnerabilities

Automate identifying FOSS security vulnerabilities

 Leverage any tool that can detect and report FOSS packages using a package-url

  • ScanCode Toolkit scans package manifest files
  • DejaCode automatically checks all product package for vulnerabilities
  • Other options include ORT, OWASP tools, and many more

 Actively developing a prototype discovery of new correlations between vulnerabilities and software packages from mining the graph

AboutCode is a community that builds critical open source SCA tools, including VulnerableCode.

scancode-licensedb is a data repository of over 1700 licenses detected by ScanCode

package-url is the emerging standard for identifying software packages

container-inspector is a suite of analysis tools for Docker images, OCI images and Dockerfiles

license_expression is a utility to parse, normalize and compare license expressions (SPDX)

The fastest way to see VulnerableCode in action is to sign for a free DejaCode account. DejaCode is the complete enterprise-level open source license compliance application, powered by ScanCode:

Run scans and track all the open source and third-party products and components used in your software.

Define usage policies at the license or component level, and integrate into ScanCode to ensure compliance.

Capture software inventories (SBOMs), generate compliance artifacts, and keep historical data.

Manage organizational complexity with enterprise-grade features and integrations for DevOps and software systems.

Automate vulnerability reporting, and ensure license compliance
with DejaCode.

Ensuring software license compliance can be difficult.

We can help.

Ready to start scanning your code?

Need to automate FOSS compliance?