Skip to content


Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
This branch is 1596 commits behind nexB:main.

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time


Build Status


Clone the source code:

git clone && cd vulnerablecode

System requirements

  • Python 3.8+

  • PostgreSQL 9+ or Docker

  • Compiler toolchain and development files for Python and PostgreSQL

On Debian-based distros, these can be installed with sudo apt install python3-venv python3-dev postgresql libpq-dev build-essential. Leave out postgresql if you want to run it in Docker.

Database configuration

Either run PostgreSQL in Docker: docker run --name pg-vulnerablecode -e POSTGRES_USER=vulnerablecode -e POSTGRES_PASSWORD=vulnerablecode -e POSTGRES_DB=vulnerablecode -p 5432:5432 postgres

Or without:

  • Create a user named vulnerablecode. Use vulnerablecode as password when prompted: sudo -u postgres createuser --no-createrole --no-superuser --login --inherit --createdb --pwprompt vulnerablecode

  • Create a databased named vulnerablecode: createdb --encoding=utf-8 --owner=vulnerablecode --user=vulnerablecode --password --host=localhost --port=5432 vulnerablecode

Application dependencies

Activate a virtualenv, install dependencies, and run the database migrations:

python3 -m venv venv
source venv/bin/activate
pip install -r requirements.txt
DJANGO_DEV=1 python migrate

The environment variable DJANGO_DEV is used to load settings suitable for development, defined in vulnerablecode/ If you don't want to type it every time use export DJANGO_DEV=1 instead.

When not running in development mode, an environment variable named SECRET_KEY needs to be set. The recommended way to generate this key is to use the code Django includes for this purpose: SECRET_KEY=$(python -c "from import utils; print(utils.get_random_secret_key())").


pycodestyle --exclude=migrations,,venv,,,, --max-line-length=100 .
DJANGO_DEV=1 pytest 

To skip tests which require internet connection:

DJANGO_DEV=1 pytest  -m "not webtest"

Data import

DJANGO_DEV=1 python import --all

If you want to run the import periodically, you can use a systemd timer:

$ cat ~/.config/systemd/user/vulnerablecode.service

Description=Update vulnerability database

ExecStart=/path/to/venv/bin/python /path/to/vulnerablecode/ import --all

$ cat ~/.config/systemd/user/vulnerablecode.timer

Description=Periodically update vulnerability database



Start it with

systemctl --user daemon-reload && systemctl --user start vulnerablecode.timer


Start the webserver

DJANGO_DEV=1 python runserver

In your browser access:<package_name>

Deployment on Heroku


  1. Create an Heroku account

  2. Download and install the Heroku CLI

  3. Run a local webserver: heroku local web

  4. Login: heroku login

  5. Create Heroku app: heroku create

  6. Generate a secret key and pass it as an environment variable: heroku config:set SECRET_KEY=$(python -c "from import utils; print(utils.get_random_secret_key())")

  7. Deploy: git push heroku <branch>:master

  8. Migrate the database: heroku run python migrate

  9. Load the data referring to chapter "Data import" above.

  10. To check the logs: heroku logs --tail

Periodic Data Import

Note: Running jobs with Heroku Scheduler might incur costs. If you haven't already, you need to add a credit card in your account (

  1. Install the Scheduler add-on: heroku addons:create scheduler:standard

  2. Open the Scheduler dashboard: heroku addons:open scheduler

  3. Click on "Create job" and enter python import --all under "Run Command"


[WIP] A tool to aggregate and correlate Vulnerabilities and the Software packages they impact







No packages published


  • Python 100.0%