Skip to content

aboutcode-org/vulnerablecode

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2,920 Commits
.github/workflows
.github/workflows
 
 
aboutcode
aboutcode
 
 
docs
docs
 
 
etc
etc
 
 
vulnerabilities
vulnerabilities
 
 
vulnerablecode
vulnerablecode
 
 
vulntotal
vulntotal
 
 
.VERSION
.VERSION
 
 
.dockerignore
.dockerignore
 
 
.gitattributes
.gitattributes
 
 
.gitignore
.gitignore
 
 
.readthedocs.yml
.readthedocs.yml
 
 
AUTHORS.rst
AUTHORS.rst
 
 
CHANGELOG.rst
CHANGELOG.rst
 
 
CODE_OF_CONDUCT.rst
CODE_OF_CONDUCT.rst
 
 
Dockerfile
Dockerfile
 
 
MANIFEST.in
MANIFEST.in
 
 
Makefile
Makefile
 
 
NOTICE
NOTICE
 
 
README.rst
README.rst
 
 
SOURCES.rst
SOURCES.rst
 
 
apache-2.0.LICENSE
apache-2.0.LICENSE
 
 
cc-by-sa-4.0.LICENSE
cc-by-sa-4.0.LICENSE
 
 
docker-compose.yml
docker-compose.yml
 
 
docker.env
docker.env
 
 
manage.py
manage.py
 
 
pyproject-aboutcode.federated.toml
pyproject-aboutcode.federated.toml
 
 
pyproject-aboutcode.hashid.toml
pyproject-aboutcode.hashid.toml
 
 
pyproject.toml
pyproject.toml
 
 
requirements.txt
requirements.txt
 
 
setup.cfg
setup.cfg
 
 
setup.py
setup.py
 
 

Repository files navigation

VulnerableCode

VulnerableCode is a database of software package vulnerabilities with Web UI and API.

Why Use VulnerableCode?

VulnerableCode provides a Web UI and API to access a database of known software package vulnerabilities with comprehensive information from upstream and downstream public sources including packages affected by a vulnerability and packages that fix a vulnerability.

There is a public VulnerableCode database and the project also provides the tools to build your own instance of the database.

Getting Started

Instructions to get you up and running on your local machine are at Getting Started

The VulnerableCode documentation also provides:

  • prerequisites for installing the software.
  • an introduction to the user interface.
  • how to use the API.
  • tutorials for adding new pipelines to import and improve advisories.
  • extensive reference information about VulnerableCode data.
  • guidelines for contributing to code development.

Build and tests status

Build Status Code License Data License Python 3.8+ stability-wip Gitter chat

Benefits of VulnerableCode

VulnerableCode is a free and open database of open source software package vulnerabilities because open source software vulnerability data and tools should be free and open source themselves.

  • Vulnerability databases have been traditionally proprietary even though they are mostly about free and open source software.
  • Vulnerability databases also often contain a lot of lesser value data which means a lot of false positive signals that require extensive expert reviews.
  • Vulnerability databases are also mostly about vulnerabilities first and software packages second, making it difficult to find if and when a vulnerability applies to a piece of code. VulnerableCode's focus is on software packages first where a Package URL (PURL) is a key and natural identifier for packages; this makes it easier to find a package and whether it is vulnerable.

PURLs were designed initially for ScanCode and VulnerableCode. PURL is now a standard for vulnerability management and package references.

The VulnerableCode tech stack is Python, Django, PostgreSQL, nginx and Docker and several libraries.

Support

If you have a specific problem, suggestion or bug, please submit a GitHub issue.

For quick questions or socializing, join the AboutCode community discussions on Slack.

Interested in commercial suppport? Contact the AboutCode team.

License

  • Apache-2.0 is the overall license.
  • CC-BY-SA-4.0 applies to reference datasets.
  • There are multiple secondary permissive or copyleft licenses (LGPL, MIT, BSD, GPL 2/3, etc.) for third-party components and test suite code and data.

Acknowledgements, Funding, Support and Sponsoring

This project is funded, supported and sponsored by:

  • Generous support and contributions from users like you!
  • the European Commission NGI programme
  • the NLnet Foundation
  • the Swiss State Secretariat for Education, Research and Innovation (SERI)
  • Google, including the Google Summer of Code and the Google Seasons of Doc programmes
  • Mercedes-Benz Group
  • Microsoft and Microsoft Azure
  • AboutCode ASBL
  • nexB Inc.

Europa logo EC DG Connect logo

NGI logo NLnet foundation logo

AboutCode logo nexB logo

This project was funded through the NGI0 PET Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825310.

NGI Zero PET logo https://nlnet.nl/project/VulnerableCode/

This project was funded through the NGI0 Discovery Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825322.

NGI Discovery logo https://nlnet.nl/project/vulnerabilitydatabase/

This project was funded through the NGI0 Core Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101092990.

NGI Zero Core Logo https://nlnet.nl/project/VulnerableCode-enhancements/

This project is funded through the NGI0 Entrust Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101069594.

NGI Zero Entrust logo https://nlnet.nl/project/FederatedSoftwareMetadata/

This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI).

NGI Zero Commons Logo Swiss logo https://nlnet.nl/project/FederatedCodeNext/

This project was funded through the NGI0 Entrust Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101069594.

NGI Zero Entrust logo https://nlnet.nl/project/CRAVEX/

About

A free and open vulnerabilities database and the packages they impact. And the tools to aggregate and correlate these vulnerabilities. Sponsored by NLnet https://nlnet.nl/project/vulnerabilitydatabase/ for https://www.aboutcode.org/ Chat at https://gitter.im/aboutcode-org/vulnerablecode Docs at https://vulnerablecode.readthedocs.org/

public.vulnerablecode.io

Topics

security vulnerability snyk vulnerability-databases vulndb cve cpe nvd vulnerability-detection osv vulnerability-identification vulnerability-scanners cvss security-tools ossindex purl package-url vulnerability-database

Resources

Readme

Security policy

Security policy
Activity
Custom properties

Stars

645 stars

Watchers

19 watching

Forks

276 forks
Report repository

Releases 51

v36.1.3 Latest
Jul 8, 2025
+ 50 releases

Sponsor this project

  •  
Learn more about GitHub Sponsors

Contributors 49
+ 35 contributors

Languages