Project Ideas Improve VulnerableCode Package Security Vulnerability Data and Code

VulnerableCode: Package security vulnerability correlated data feed ==================================================================

This project is to further and evolve the VulnerableCode package vulnerabilities data aggregation tool.

VulnerableCode was started as a GSoC project in 2017. Its goal is to collect, aggregate and correlate vulnerabilities data and provide semi-automatic correlation. In the end it should provide the basis to report vulnerabilities alerts found in packages identified by ScanCode.

This is not trivial as there are several gaps in the CVE data and how they relate to packages as they are detected by ScanCode or else.

The TODO for VulnerableCode is to:

• Add New Vulnerability data sources and improve the data model
• Create mappings between CPE/Common package enumeration in the NVD and Package URLs. This should be as automated as possible and could use some novel approaches based on machine learning

And as bonuses:

• Leverage correlation: add smart relationship detection to infer new relationships between available packages and vulnerabilities from mining the graph of existing relations.

- create a UI and model for community curation of vulnerability to package mappings, correlations and enhancements.

• Level

  • Advanced

• Tech

  • Python, Django

• URLS

  • https://github.com/nexB/vulnerablecode
  • https://github.com/nexB/aboutcode-manager
  • https://github.com/nexB/scancode-toolkit

• Mentors

  • @haikoschol https://github.com/haikoschol
  • @majurg https://github.com/majurg
  • @JonoYang https://github.com/JonoYang