-
-
Couldn't load subscription status.
- Fork 239
Project Ideas
This includes integration with other aboutcode tools, namely scancode io and scancode-toolkit .
At a higher level these tools detect all the packages used by a codebase. They will then query VulnerableCode and verify whether each of the found package is vulnerable or not .
See https://github.com/nexB/vulnerablecode#how for background info. We want to search for more vulnerability data sources and consume them.
Create a CI integrations which would scan the codebase for packages using SBOM tools like scancode-toolkit. Then verify whether each of the package is safe. Implement a Github action, jenkins plugins which do this .
Add UI components, which would enable users to triage vulnerabilities. This would include displaying references and helpers to link the vulnerability to packages. VulnerableCode should obviously consume this newly minted data.
Often security advisories don't give information of what packages are vulnerable in a structured way. Create a system which would infer vulnerable packages by parsing the vulnerability description.
Create scanners which would verify whether a codebase is vulnerable to a vulnerability. This is different than checking for vulnerable packages by looking at the SBOM. Essentially the scanner should check for whether the vulnerable code is called, are the environmental conditions conducive to the vulnerability etc.