vulnerablecode icon indicating copy to clipboard operation
vulnerablecode copied to clipboard

verified publisher icon nexB

Metadata

A free and open vulnerabilities database and the packages they impact. And the tools to aggregate and correlate these vulnerabilities. Sponsored by NLnet https://nlnet.nl/project/vulnerabilitydatabase...

Results 574 vulnerablecode issues
Sort by recently updated
recently updated
newest added

Review how we create PURL namespaces in the GitHhub importer

The code at https://github.com/nexB/vulnerablecode/blob/3b3ea6d3e3a64a8504733c9fe5298f8d4734993b/vulnerabilities/importers/github.py#L116 needs some love. 1. npm has a namespace. 2. we should avoid if possible to single out a list of package type 3. golang may have...

pombredanne avatar pombredanne

Include commits and patches that fix a vulnerability

9 comment

The commit that **fixed** the vulnerability should also be included in the information provided. Anything that can lead to a [diff](https://git-scm.com/docs/git-diff) is valuable. This includes links to commits, pull requests...

elanzini avatar elanzini

feature
Priority: medium
Core models

Add advisory quality scoring to VCIO

3 comment

We need a way to score the reliability of advisories, since multiple advisories for the same vulnerability may differ in significant details. First step is to identify the scoring criteria,...

TG1999 avatar TG1999

enhancement
difficulty: intermediate
data-quality
next

Some Reference URLs comprise a pair of near-duplicates

Here's an example I retrieved from a VCIO UI query for `VCID-rxj4-rqm2-aaaf` (https://public.vulnerablecode.io/vulnerabilities/VCID-rxj4-rqm2-aaaf?search=VCID-rxj4-rqm2-aaaf) where the only difference is the presence or not of a trailing `/`: ![image](https://github.com/nexB/vulnerablecode/assets/11096678/b416d340-3bff-4c2e-865e-89bb6624c202)

johnmhoran avatar johnmhoran

ui
data-quality

Add Temurin OpenJDK vulnerability data

Temurin/Adoptium release notes document CVEs fixed per release. Some examples are: - https://adoptium.net/blog/2024/01/eclipse-temurin-8u402-11022-1710-and-2102-available/ - https://adoptium.net/blog/2023/08/eclipse-temurin-8u382-11020-1708-and-2002-available/ I could not find a list of "open" vulnerabilities

mjherzog avatar mjherzog

Data collection

Collect OpenJDK advisories

1 comment

https://openjdk.org/groups/vulnerability/advisories/

pombredanne avatar pombredanne

Collect data from https://www.eclipse.org/security/known.php and https://www.eclipse.org/security/

See also https://www.eclipse.org/security/known/

pombredanne avatar pombredanne

Report vulnerabilities associated with an SBOM/PURL inventory

We've developed a private script that takes an SBOM/PURL inventory as input, vets the PURLs with the VulnerableCode DB, and outputs a vulnerability report as a `.xlsx` file. We plan...

johnmhoran avatar johnmhoran

enhancement
Data collection

Some fixed-by version data is incorrect and needs to be investigated

4 comment

While @pombredanne and I were reviewing the VCIO UI, it became clear that some of the data displayed in the `Fixed by packages` tab of the `Vulnerability details` page --...

johnmhoran avatar johnmhoran

Data collection
ui
data-quality
next

Vulnerability 'summary' field is neither consistent nor complete

8 comment

I noticed recently when working with a range of PURLs and vulnerabilities that: - the content of the VCIO UI `summary` field (afaict this applies equally to the API responses)...

johnmhoran avatar johnmhoran

enhancement
Data collection
API
ui
data-quality

Metadata

478
Stars
181
Forks
Watchers

Owner

verified publisher icon nexB

Metadata

A free and open vulnerabilities database and the packages they impact. And the tools to aggregate and correlate these vulnerabilities. Sponsored by NLnet https://nlnet.nl/project/vulnerabilitydatabase...

Back