CRAVEX
Cyber Resilience Application for Vulnerability Exploitability Exchange
There is no free and open source vulnerability exploitability management application centered on software packages. Vulnerability management applications traditionally serve the needs of security teams first. There is a fundamental disconnect between the package-centric mindset of a developer and the vulnerability-centric mindset of a security analyst.
Developers need modern tools to manage, triage, rate, review, and determine exploitability of package vulnerabilities in a package-centric world. They are the primary stakeholders and best positioned to tackle open source package vulnerabilities at the root. With the impending requirements of the CRA, open source projects and small businesses urgently need a free and open solution to comply with these new emerging mandates with minimal friction and costs.
The Cyber Resilience Application for Vulnerability Exploitability (CRAVEX) is a web-based app designed to fulfill these requirements for better software supply chain integrity and security. CRAVEX will make it easier for any organization to comply with the emerging CRA and other regulatory requirements, efficiently, and improve the overall security posture of organizations of all sizes, especially for SMEs.
CRAVEX will collect, track, and triage FOSS package vulnerabilities, determine their exploitability in a portfolio of software products and projects, and provide reporting with SBOMs and VEX statements to share with stakeholders.
- The project's own website: https://aboutcode.org/
Run by AboutCode
This project was funded through the NGI0 Entrust Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101069594.