website-3407280 (4)

Find FOSS vulnerabilities, improve FOSS security.

VulnerableCode is a FOSS tool to automate search for FOSS security vulnerabilities.

By collecting and parsing data from many sources, identifying packages using a standardized package-url, and accessing the data through a REST API, VulnerableCode addresses key security concerns for using FOSS code in modern applications.

VulnerableCode is a free and open vulnerabilities database for FOSS data.

❌ Databases of known FOSS software vulnerabilities are mostly proprietary and privately maintained, so identifying vulnerable components is hindered by data structures and tools that are:

  • Designed for proprietary software components,
  • Not comprehensive, and
  • Dependent on voluntary submissions to the National Vulnerability Database.

 The explosion of FOSS usage across industries requires a new approach to efficiently identify FOSS security vulnerabilities, based on open data and FOSS tools.

With VulnerableCode, we are building FOSS tools to aggregate, correlate, and curate software component vulnerability data from multiple sources and automate the search for FOSS component security vulnerabilities.

The benefit: improved security of software applications with open tools and data for everyone.

Aggregate vulnerability data across data sources

Includes security advisories published by Linux and BSD distributions, application software package managers and package repositories, FOSS projects, GitHub and more

 Focused on specific ecosystems, but aggregated in a single database to query a richer graph of relations between multiple incarnations of a package

 Specificity increases the accuracy and validity of the data as the same version of an upstream package across different ecosystems may or may not be vulnerable to the same vulnerability

 Supports decentralized data re-creation, using tools that can detect and report FOSS packages using a package-url

Organize data with a standardized package identifier

 Use a package-url (purl) to reliably identify, locate, and provision software packages across different tools, programming languages, package managers, packaging conventions, APIs, and databases

 Replaces the complexity of differing conventions and protocols for each individual package manager, platform, type, and ecosystem with universal and uniform approach

Adopted by OWASP, ORT, CycloneDX, SPDX, ScanCode and more (and under consideration by the US NTIA as CPE replacement)

Automate identifying FOSS security vulnerabilities

 Leverage any tool that can detect and report FOSS packages using a package-url

  • ScanCode Toolkit scans package manifest files
  • DejaCode automatically checks all product package for vulnerabilities
  • Other options include ORT, OWASP tools, and many more

 Actively developing a prototype discovery of new correlations between vulnerabilities and software packages from mining the graph

AboutCode is a community that builds critical open source SCA tools, including VulnerableCode.

scancode-licensedb is a data repository of over 1700 licenses detected by ScanCode

package-url is the emerging standard for identifying software packages

container-inspector is a suite of analysis tools for Docker images, OCI images and Dockerfiles

license_expression is a utility to parse, normalize and compare license expressions (SPDX)

Find open source with open source, with ScanCode.

Scan your codebase directly from the CLI.

Or automate software composition analysis.

ScanCode is the industry-leading code scanning engine, used and trusted by 4 out of the 5 Big Tech companies:

Identify any open source components and their license compliance data in an application codebase.

Generate an inventory of components and their licenses to use as the baseline for your FOSS compliance process.

 100% open source under Apache 2.0 and other business-friendly licenses with support for all programming languages and environments.

To use ScanCode, either download ScanCode Toolkit and add it to your workflow directly or run to automate the SCA process with comprehensive APIs, and specific (and customizable) pipelines.

DejaCode is the complete enterprise-level open source license compliance application, powered by ScanCode:

Run scans and track all the open source and third-party products and components used in your software.

Define usage policies at the license or component level, and integrate into ScanCode to ensure compliance.

Capture software inventories (SBOMs), generate compliance artifacts, and keep historical data.

Manage organizational complexity with enterprise-grade features and integrations for DevOps and software systems.

Track all components, ensure compliance.

Automate with DejaCode.

Ensuring software license compliance can be difficult.

We can help.

Ready to start scanning your code?

Need to automate FOSS compliance?