VulnerableCode is a free and open database of FOSS software package vulnerabilities and the tools to create and keep the data current.
It is made by the FOSS community to improve and secure the open source software ecosystem.
The existing solutions are commercial proprietary vulnerability databases, which in itself does not make sense because the data is about FOSS (Free and Open Source Software).
The National Vulnerability Database which is a primary centralized data source for known vulnerabilities is not particularly well suited to address FOSS security issues because:
- It predates the explosion of FOSS software usage
- It’s data format reflects a commercial vendor-centric point of view in part due to the usage of CPE to map vulnerabilities to existing packages.
- CPEs are just not designed to map FOSS to vulnerabilities owing to their vendor-product centric semantics. This makes it really hard to answer the fundamental questions “Is package foo vulnerable” and “Is package foo vulnerable to vulnerability bar?”