Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fetch data from VulnerableCode #98

Open
pombredanne opened this issue Dec 3, 2022 · 2 comments
Open

Fetch data from VulnerableCode #98

pombredanne opened this issue Dec 3, 2022 · 2 comments
Assignees
@djschleen
Labels
enhancement New feature or request

Comments

@pombredanne
Copy link

@djschleen @juliojimenez This may be of interest to you guys: I have just launched https://public.vulnerablecode.io/

VulnerableCode is an open source vulnerability database (code at https://github.com/nexb/vulnerablecode ) that is keyed by package-url/purl like OSSindex (that has also adopted the purl spec that I created originally for ScanCode and VulnerableCode) . It is the only open source code and open data correlated and aggregated vulnerability database I know of. Some of its code is reused by Google OSV.

You can run a full instance of VulnerableCode independently or use the public service as you prefer. We provide seed data to speed up offline install and usage. And we started to publish a new mapping of legacy CPE to purl at https://github.com/nexB/vulnerablecode-purl2cpe

It has a new, experimental vulntotal total tool: aboutcode-org/vulnerablecode#801 ... like virustotal but for vulnerability databases comparison and it can compare the results of a purl query to VulnerableCode, OSSIndex, Snyk, Google, OSV, GitHub and GitLab at once and tells you which DB reports which vulnerability or not! which is pretty interesting.
Like a live benchmark.
So far, VulnerableCode is not doing too bad and holding its own against the proprietary databases! Because of the terms of services of each of these proprietary databases, the tool is not hostable centrally and you need to run the CLI locally. The input is a purl.

In addition, purldb is a new companion database of all the purls at https://github.com/nexB/purldb/ that can come handy for lookup and validation.

Both are extensively based on and use package-url/purl (I created and co-lead https://github.com/package-url/purl-spec and libraries FWIW).

So in a nutshell, these goodies may be of some interest for you to check out. And if you find them not too shabby, and you care to reuse some of them, ping me if I can help you out and I will.
@djschleen
Copy link
Member

djschleen commented Dec 4, 2022
edited
Loading

Oh yes! @juliojimenez and I were tracking your project and we'll definitely hook this up!

We have an open issue that to support air gapped environments and this could help for that.

@djschleen djschleen self-assigned this Dec 4, 2022
@djschleen djschleen added the enhancement New feature or request label Dec 4, 2022
@djschleen djschleen mentioned this issue Dec 4, 2022
Closed
@djschleen
Copy link
Member

@pombredanne Just letting you know this is still on our radar :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@djschleen djschleen

Labels
enhancement New feature or request
Milestone
No milestone
Development

No branches or pull requests
2 participants
@pombredanne @djschleen