Why Is There No Free Software Vulnerability Database?

This was the provocative question we were asking two years ago when first introducing the VulnerableCode FOSS project.

The situation has evolved positively since then — in particular thanks to the creation of the Open Source Security Foundation, Open Source Vulnerability (OSV) project and schema and Open Source Insights.

Yet the question is still relevant as there is still no comprehensive aggregated vulnerabilities database that would cover most system and application package ecosystems. There are also continuous looming concerns about the licensing of vulnerability feeds and how to best share and curate vulnerability data.

We asked the same question during the Open Source Summit 2022 and came up with a viable solution - VulnerableCode. Since then, we have had hit various road blocks and cleared some as well. .

As a part of cataloging all the vulnerabilities out there we spun up other projects like univers: mostly universal version and version ranges comparison and conversion, VulnTotal: A vulnerabilities database comparison engine and more.

In this talk, we will explore vulnerabilities mining for supply chain security - t he present and the future we aspire