{"id":14263145,"url":"https://github.com/aboutcode-org/vulnerablecode","last_synced_at":"2025-05-14T09:10:16.755Z","repository":{"id":37735526,"uuid":"91780998","full_name":"aboutcode-org/vulnerablecode","owner":"aboutcode-org","description":"A free and open vulnerabilities database and the packages they impact. And the tools to aggregate and correlate these vulnerabilities. Sponsored by NLnet https://nlnet.nl/project/vulnerabilitydatabase/ for https://www.aboutcode.org/ Chat at https://gitter.im/aboutcode-org/vulnerablecode  Docs at https://vulnerablecode.readthedocs.org/","archived":false,"fork":false,"pushed_at":"2025-04-04T06:35:28.000Z","size":29704,"stargazers_count":570,"open_issues_count":634,"forks_count":229,"subscribers_count":23,"default_branch":"main","last_synced_at":"2025-04-05T11:01:35.376Z","etag":null,"topics":["cpe","cve","cvss","nvd","ossindex","osv","package-url","purl","security","security-tools","snyk","vulndb","vulnerability","vulnerability-database","vulnerability-databases","vulnerability-detection","vulnerability-identification","vulnerability-scanners"],"latest_commit_sha":null,"homepage":"https://public.vulnerablecode.io","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/aboutcode-org.png","metadata":{"files":{"readme":"README.rst","changelog":"CHANGELOG.rst","contributing":null,"funding":null,"license":null,"code_of_conduct":"CODE_OF_CONDUCT.rst","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":"AUTHORS.rst","dei":null,"publiccode":null,"codemeta":null}},"created_at":"2017-05-19T07:56:17.000Z","updated_at":"2025-04-04T06:35:27.000Z","dependencies_parsed_at":"2023-10-03T10:56:18.385Z","dependency_job_id":"81986b84-1a4a-4e17-922f-688cde68e55c","html_url":"https://github.com/aboutcode-org/vulnerablecode","commit_stats":{"total_commits":1960,"total_committers":49,"mean_commits":40.0,"dds":0.7673469387755102,"last_synced_commit":"3cee7717864c54c50b865cefc7d6c18d7a8783b7"},"previous_names":["aboutcode-org/vulnerablecode"],"tags_count":55,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aboutcode-org%2Fvulnerablecode","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aboutcode-org%2Fvulnerablecode/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aboutcode-org%2Fvulnerablecode/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/aboutcode-org%2Fvulnerablecode/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/aboutcode-org","download_url":"https://codeload.github.com/aboutcode-org/vulnerablecode/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248045245,"owners_count":21038554,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cpe","cve","cvss","nvd","ossindex","osv","package-url","purl","security","security-tools","snyk","vulndb","vulnerability","vulnerability-database","vulnerability-databases","vulnerability-detection","vulnerability-identification","vulnerability-scanners"],"created_at":"2024-08-22T13:02:17.389Z","updated_at":"2025-04-12T13:24:28.611Z","avatar_url":"https://github.com/aboutcode-org.png","language":"Python","readme":"===============\nVulnerableCode\n===============\n\n|Build Status| |Code License| |Data License| |Python 3.8+| |stability-wip| |Gitter chat|\n\n\n.. |Build Status| image:: https://github.com/nexB/vulnerablecode/actions/workflows/main.yml/badge.svg?branch=main\n   :target: https://github.com/nexB/vulnerablecode/actions?query=workflow%3ACI\n.. |Code License| image:: https://img.shields.io/badge/Code%20License-Apache--2.0-green.svg\n   :target: https://opensource.org/licenses/Apache-2.0\n.. |Data License| image:: https://img.shields.io/badge/Data%20License-CC--BY--SA--4.0-green.svg\n   :target: https://creativecommons.org/licenses/by-sa/4.0/legalcode \n.. |Python 3.8+| image:: https://img.shields.io/badge/python-3.8+-green.svg\n   :target: https://www.python.org/downloads/release/python-380/\n.. |stability-wip| image:: https://img.shields.io/badge/stability-work_in_progress-lightgrey.svg\n.. |Gitter chat| image:: https://badges.gitter.im/gitterHQ/gitter.png\n   :target: https://gitter.im/aboutcode-org/vulnerablecode\n\n\nVulnerableCode is a free and open database of open source software package\nvulnerabilities **because open source software vulnerabilities data and tools\nshould be free and open source themselves**:\n\nwe are trying to change this and evolve the status quo in a few other areas!\n\n- Vulnerability databases have been **traditionally proprietary** even though they\n  are mostly about free and open source software. \n\n- Vulnerability databases also often contain a lot of lesser value data which\n  means a lot of false positive signals that require extensive expert reviews.\n\n- Vulnerability databases are also mostly about vulnerabilities first and software\n  package second, making it difficult to find if and when a vulnerability applies\n  to a piece of code. VulnerableCode focus is on software package first where\n  a Package URL is a key and natural identifier for packages; this is making it\n  easier to find a package and whether it is vulnerable.\n\nPackage URL themselves were designed first in ScanCode and VulnerableCode\nand are now a de-facto standard for vulnerability management and package references.\nSee https://github.com/package-url/purl-spec\n\nThe VulnerableCode project is a FOSS community resource to help improve the\nsecurity of the open source software ecosystem and its users at large.\n\nVulnerableCode consists of a database and the tools to collect, refine and keep\nthe database current. \n\n\n.. pull-quote::\n   **Warning**\n\n   VulnerableCode is under active development and is not yet fully\n   usable.\n\n\nRead more about VulnerableCode https://vulnerablecode.readthedocs.org/\n\nVulnerableCode tech stack is Python, Django, PostgreSQL, nginx and Docker and\nseveral libraries.\n\n\nGetting started\n===============\n\nRun with Docker\n---------------\n\nFirst install docker, then run\n\n.. code:: bash\n\n    git clone https://github.com/nexB/vulnerablecode.git \u0026\u0026 cd vulnerablecode\n    make envfile\n    docker compose build\n    docker compose up -d\n    docker compose run vulnerablecode ./manage.py import --list\n\nThen run an importer for nginx advisories (which is small)\n\n.. code:: bash\n\n    docker compose exec vulnerablecode ./manage.py import nginx_importer\n    docker compose exec vulnerablecode ./manage.py improve --all\n\nAt this point, the VulnerableCode app and API should be up and running with\nsome data at http://localhost\n\n\nPopulate VulnerableCode database\n--------------------------------\n\nVulnerableCode data collection works in two steps: importing data from multiple\nsources and then refining and improving how package and software vulnerabilities\nare related.\n\nTo run all importers and improvers use this\n\n.. code:: bash\n\n   ./manage.py import --all\n\n.. code:: bash\n\n   ./manage.py improve --all\n\n\nLocal development installation\n------------------------------\n\nOn a Debian system, use this\n\n.. code:: bash\n\n    sudo apt-get install  python3-venv python3-dev postgresql libpq-dev build-essential\n    git clone https://github.com/nexB/vulnerablecode.git \u0026\u0026 cd vulnerablecode\n    make dev envfile postgres\n    make test\n    source venv/bin/activate\n    ./manage.py import nginx_importer\n    ./manage.py improve --all\n    make run\n\nAt this point, the VulnerableCode app and API is up at http://127.0.0.1:8001/\n\n\nLicense\n========\n\nCopyright (c) nexB Inc. and others. All rights reserved.\n\nVulnerableCode is a trademark of nexB Inc.\n\nSPDX-License-Identifier: Apache-2.0 AND CC-BY-SA-4.0\n\nVulnerableCode software is licensed under the Apache License version 2.0.\n\nVulnerableCode data is licensed collectively under CC-BY-SA-4.0.\n\nSee https://www.apache.org/licenses/LICENSE-2.0 for the license text.\n\nSee https://creativecommons.org/licenses/by-sa/4.0/legalcode for the license text.\n\nSee https://github.com/nexB/vulnerablecode for support or download. \n\nSee https://aboutcode.org for more information about nexB OSS projects.\n\n\nAcknowledgements, Funding, Support and Sponsoring\n=================================================\n\nThis project is funded, supported and sponsored by:\n\n- Generous support and contributions from users like you!\n- the European Commission NGI programme\n- the NLnet Foundation \n- the Swiss State Secretariat for Education, Research and Innovation (SERI)\n- Google, including the Google Summer of Code and the Google Seasons of Doc programmes\n- Mercedes-Benz Group\n- Microsoft and Microsoft Azure\n- AboutCode ASBL\n- nexB Inc. \n\n\n\n|europa|   |dgconnect| \n\n|ngi|   |nlnet|   \n\n|aboutcode|  |nexb|\n\n\n\nThis project was funded through the NGI0 PET Fund, a fund established by NLnet with financial\nsupport from the European Commission's Next Generation Internet programme, under the aegis of DG\nCommunications Networks, Content and Technology under grant agreement No 825310.\n\n|ngizeropet|  https://nlnet.nl/project/VulnerableCode/\n\n\nThis project was funded through the NGI0 Discovery Fund, a fund established by NLnet with financial\nsupport from the European Commission's Next Generation Internet programme, under the aegis of DG\nCommunications Networks, Content and Technology under grant agreement No 825322.\n\n|ngidiscovery| https://nlnet.nl/project/vulnerabilitydatabase/\n\n\nThis project was funded through the NGI0 Core Fund, a fund established by NLnet with financial\nsupport from the European Commission's Next Generation Internet programme, under the aegis of DG\nCommunications Networks, Content and Technology under grant agreement No 101092990.\n\n|ngizerocore| https://nlnet.nl/project/VulnerableCode-enhancements/\n\n\nThis project is funded through the NGI0 Entrust Fund, a fund established by NLnet with financial\nsupport from the European Commission's Next Generation Internet programme, under the aegis of DG\nCommunications Networks, Content and Technology under grant agreement No 101069594.\n\n|ngizeroentrust| https://nlnet.nl/project/FederatedSoftwareMetadata/\n\n\nThis project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial\nsupport from the European Commission's Next Generation Internet programme, under the aegis of DG\nCommunications Networks, Content and Technology under grant agreement No 101135429. Additional\nfunding is made available by the Swiss State Secretariat for Education, Research and Innovation\n(SERI). \n\n|ngizerocommons| |swiss| https://nlnet.nl/project/FederatedCodeNext/\n\nThis project was funded through the NGI0 Entrust Fund, a fund established by NLnet with financial\nsupport from the European Commission's Next Generation Internet programme, under the aegis of DG\nCommunications Networks, Content and Technology under grant agreement No 101069594. \n\n|ngizeroentrust| https://nlnet.nl/project/CRAVEX/\n\n\n\n.. |nlnet| image:: https://nlnet.nl/logo/banner.png\n    :target: https://nlnet.nl\n    :height: 50\n    :alt: NLnet foundation logo\n\n.. |ngi| image:: https://ngi.eu/wp-content/uploads/thegem-logos/logo_8269bc6efcf731d34b6385775d76511d_1x.png\n    :target: https://ngi.eu35\n    :height: 50\n    :alt: NGI logo\n\n.. |nexb| image:: https://nexb.com/wp-content/uploads/2022/04/nexB.svg\n    :target: https://nexb.com\n    :height: 30\n    :alt: nexB logo\n\n.. |europa| image:: https://ngi.eu/wp-content/uploads/sites/77/2017/10/bandiera_stelle.png\n    :target: http://ec.europa.eu/index_en.htm\n    :height: 40\n    :alt: Europa logo\n\n.. |aboutcode| image:: https://aboutcode.org/wp-content/uploads/2023/10/AboutCode.svg\n    :target: https://aboutcode.org/\n    :height: 30\n    :alt: AboutCode logo\n\n.. |swiss| image:: https://www.sbfi.admin.ch/sbfi/en/_jcr_content/logo/image.imagespooler.png/1493119032540/logo.png\n    :target: https://www.sbfi.admin.ch/sbfi/en/home/seri/seri.html\n    :height: 40\n    :alt: Swiss logo\n\n.. |dgconnect| image:: https://commission.europa.eu/themes/contrib/oe_theme/dist/ec/images/logo/positive/logo-ec--en.svg\n    :target: https://commission.europa.eu/about-european-commission/departments-and-executive-agencies/communications-networks-content-and-technology_en\n    :height: 40\n    :alt: EC DG Connect logo\n\n.. |ngizerocore| image:: https://nlnet.nl/image/logos/NGI0_tag.svg\n    :target: https://nlnet.nl/core\n    :height: 40\n    :alt: NGI Zero Core Logo\n\n.. |ngizerocommons| image:: https://nlnet.nl/image/logos/NGI0_tag.svg\n    :target: https://nlnet.nl/commonsfund/\n    :height: 40\n    :alt: NGI Zero Commons Logo\n\n.. |ngizeropet| image:: https://nlnet.nl/image/logos/NGI0PET_tag.svg\n    :target: https://nlnet.nl/PET\n    :height: 40\n    :alt: NGI Zero PET logo\n\n.. |ngizeroentrust| image:: https://nlnet.nl/image/logos/NGI0Entrust_tag.svg\n    :target: https://nlnet.nl/entrust\n    :height: 38\n    :alt: NGI Zero Entrust logo\n\n.. |ngiassure| image:: https://nlnet.nl/image/logos/NGIAssure_tag.svg\n    :target: https://nlnet.nl/image/logos/NGIAssure_tag.svg\n    :height: 32\n    :alt: NGI Assure logo\n\n.. |ngidiscovery| image:: https://nlnet.nl/image/logos/NGI0Discovery_tag.svg\n    :target: https://nlnet.nl/discovery/\n    :height: 40\n    :alt: NGI Discovery logo\n","funding_links":[],"categories":["Python"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Faboutcode-org%2Fvulnerablecode","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Faboutcode-org%2Fvulnerablecode","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Faboutcode-org%2Fvulnerablecode/lists"}