Git Product home page Git Product logo

simardeepsingh-zsh / vulnerablecode Goto Github PK

View Code? Open in Web Editor NEW

This project forked from nexb/vulnerablecode

0.0 0.0 0.0 27.11 MB

A free and open vulnerabilities database and the packages they impact. And the tools to aggregate and correlate these vulnerabilities. Sponsored by NLnet https://nlnet.nl/project/vulnerabilitydatabase/ for https://www.aboutcode.org/ Chat at https://gitter.im/aboutcode-org/vulnerablecode Docs at https://vulnerablecode.readthedocs.org/

Home Page: https://public.vulnerablecode.io

License: Apache License 2.0

Shell 0.13% JavaScript 0.07% Python 52.59% CSS 5.30% Nix 0.27% Makefile 0.26% HTML 41.34% Dockerfile 0.04%

vulnerablecode's Introduction

VulnerableCode

Build Status Code License Data License Python 3.8+ stability-wip Gitter chat

VulnerableCode is a free and open database of open source software package vulnerabilities because open source software vulnerabilities data and tools should be free and open source themselves:

we are trying to change this and evolve the status quo in a few other areas!

  • Vulnerability databases have been traditionally proprietary even though they are mostly about free and open source software.
  • Vulnerability databases also often contain a lot of lesser value data which means a lot of false positive signals that require extensive expert reviews.
  • Vulnerability databases are also mostly about vulnerabilities first and software package second, making it difficult to find if and when a vulnerability applies to a piece of code. VulnerableCode focus is on software package first where a Package URL is a key and natural identifier for packages; this is making it easier to find a package and whether it is vulnerable.

Package URL themselves were designed first in ScanCode and VulnerableCode and are now a de-facto standard for vulnerability management and package references.

See https://github.com/package-url/purl-spec

The VulnerableCode project is a FOSS community resource to help improve the security of the open source software ecosystem and its users at large.

VulnerableCode consists of a database and the tools to collect, refine and keep the database current.

Warning

VulnerableCode is under active development and is not yet fully usable.

Read more about VulnerableCode https://vulnerablecode.readthedocs.org/

VulnerableCode is financially supported by NLnet, nexB, Google (through the GSoC) and the active contributions of several volunteers.

VulnerableCode tech stack is Python, Django, PostgreSQL, nginx and Docker and several libraries.

Getting started

Run with Docker

First install docker and docker-compose, then run:

git clone https://github.com/nexB/vulnerablecode.git && cd vulnerablecode
make envfile
docker-compose build
docker-compose up -d
docker-compose run vulnerablecode ./manage.py import --list

Then run an importer for nginx advisories (which is small):

docker-compose exec vulnerablecode ./manage.py import vulnerabilities.importers.nginx.NginxImporter
docker-compose exec vulnerablecode ./manage.py improve --all

At this point, the VulnerableCode app and API should be up and running with some data at http://localhost

Populate VulnerableCode database

VulnerableCode data collection works in two steps: importing data from multiple sources and then refining and improving how package and software vulnerabilities are related.

To run all importers and improvers use this:

./manage.py import --all
./manage.py improve --all

Local development installation

On a Debian system, use this:

sudo apt-get install  python3-venv python3-dev postgresql libpq-dev build-essential
git clone https://github.com/nexB/vulnerablecode.git && cd vulnerablecode
make dev envfile postgres
make test
source venv/bin/activate
./manage.py import vulnerabilities.importers.nginx.NginxImporter
./manage.py improve --all
make run

At this point, the VulnerableCode app and API is up at http://127.0.0.1:8001/

Interface

VulnerableCode comes with a minimal web UI:

image

And a JSON API and its minimal web documentation:

image

image

License

Copyright (c) nexB Inc. and others. All rights reserved.

VulnerableCode is a trademark of nexB Inc.

SPDX-License-Identifier: Apache-2.0 AND CC-BY-SA-4.0

VulnerableCode software is licensed under the Apache License version 2.0.

VulnerableCode data is licensed collectively under CC-BY-SA-4.0.

See https://www.apache.org/licenses/LICENSE-2.0 for the license text.

See https://creativecommons.org/licenses/by-sa/4.0/legalcode for the license text.

See https://github.com/nexB/vulnerablecode for support or download.

See https://aboutcode.org for more information about nexB OSS projects.

Acknowledgements

This project was funded through the NGI0 PET Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825310.

https://nlnet.nl/project/VulnerableCode/

This project was funded through the NGI0 Discovery Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825322.

https://nlnet.nl/project/vulnerabilitydatabase/

vulnerablecode's People

Contributors

sbs2001 avatar pombredanne avatar tg1999 avatar hritik14 avatar kartiksibal avatar johnmhoran avatar haikoschol avatar keshav-space avatar tdruez avatar rolfschr avatar dependabot[bot] avatar ziadhany avatar tushar912 avatar pushpit07 avatar singh1114 avatar tardyp avatar eslamhiko avatar armijnhemel avatar ayansinhamahapatra avatar lohani2280 avatar shravankshenoy avatar sify21 avatar udaykor avatar mjherzog avatar amitgupta7580 avatar savish28 avatar elanzini avatar aydinnyunus avatar yilmi avatar rabajaj0509 avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.