Send in your ideas. Deadline February 1, 2025
logo
Grant
Theme fund: NGI Zero Core
Start: 2024-04
More projects like this
Measurement

Enhance the vulnerability database

Enhance the VulnerableCode vulnerability database

Using Components with Known Vulnerabilities" is one of the OWASP Top 10 Most Critical Web Application Security Risks. Identifying such vulnerable components is currently hindered by data structure and tools that are (1) designed primarily for commercial/proprietary software components and (2) too dependent on the National Vulnerability Database (funded by the US CISA and Dept. of Commerce). With the explosion of Free and Open Source Software (FOSS) usage, we need a new approach in order to efficiently identify security vulnerabilities in FOSS components that are the basis of every modern software system and applications. And that approach should be based on open data and FOSS tools.

This project delivers unique FOSS tools to aggregate software component vulnerability data from multiple sources, privileging upstream data directly from project maintainers. VulnerableCode organizes that data with a de-facto industry standard Package URL identifier (Package URL or PURL) enabling efficient and straightforward automation for the search for FOSS component security vulnerabilities. The benefits are to contribute to the improved security of software applications with open tools and data available freely to everyone and to lessen the dependence on a single foreign governmental data source, or a few foreign commercial data providers.

In the new context of the upcoming Cyber Resilience Act (CRA), the access to an open, free and curated FOSS package vulnerability data source is now an imperative. And the organization of vulnerability data by Package URL or PURL identifiers in VulnerableCode enables easy frictionless integration with Software Composition Analysis (SCA) code analysis tool chains, direct enrichment of SBOMs (Software Bill of Materials) to find if SBOM-listed packages have known vulnerabilities, and creation of VEX (Vulnerability Exploitability Exchange) document to communicate the impact of known vulnerabilities

Why does this actually matter to end users?

Software security for many users is a given, an assumption, something you do not and should not have to think about too hard. If you open an app on your phone, install new software on your laptop or boot up your tablet, you assume the software you use is safe, secure and that the developers have done their job right.

But with the amount of software coming out and the tangled web of inter-dependencies that exist today, this assumption of trust is hard to live up to. Especially since software vulnerabilities are constantly either hunted for by malicious parties that want to get into our data and devices for blackmail, theft or on a larger and more dangerous scale, disruption of vital processes like power grids, or collected for by commercial parties that want to monetize securing our data and devices for profit.

Search and discovery of software vulnerabilities is an issue of oversight. There are various databases that record critical risks and issues, but the tools that developers can use to go through these databases tend to focus only on a few sources, missing important insight from upstream project maintainers, and using arcane identifiers that make finding if a software package is vulnerable more like a byzantine art than data science.

Software security should be a collective effort and developers need a complete view of any insecurities they need to deal with. This project creates the free and open source (FOSS) tools that aggregate software vulnerabilities from all possible sources and organize them in a standardized way as open data shared in the commons. This makes secure software development more transparent and ultimately contributes to more secure and solid tools and services for end users of all types.

This project enhances VulnerableCode and addresses multiple enhancement requests, such as mining the CVEs body to extract further details, adding new data sources, creating improvers to make the data better to improve the quality, depth and breadth of the data collected and more.

Run by AboutCode Europe ASBL

Logo NLnet: abstract logo of four people seen from above Logo NGI Zero: letterlogo shaped like a tag

This project was funded through the NGI0 Core Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101092990.