Shulou(Shulou.com)06/01 Report--

This article focuses on "how to use VulnerableCode to view FOSS software code packages affected by vulnerabilities". Interested friends may wish to take a look. The method introduced in this paper is simple, fast and practical. Let's let the editor take you to learn how to use VulnerableCode to view FOSS software code packages affected by vulnerabilities.

About VulnerableCode

VulnerableCode is a free and open database of FOSS package vulnerabilities and also includes tools to create and track current data. With the help of this tool, researchers can view the code packages affected by vulnerabilities and realize the aggregation, association and management of vulnerabilities.

FOSS, or Free and Open Source Software, is an official term used by the United Nations Educational, Scientific and Cultural Organization (UNESCO). "FOSS industry" is new, strictly speaking, it is not exactly equivalent to "open source industry". FOSS brings the modern software industry to a new stage. The Chinese translation of "FOSS" is "free and open source software".

VulnerableCode is a tool developed by the FOSS community to improve the security of the open source software ecosystem.

Operation mechanism

VulnerableCode aggregates many software vulnerability data sources independently and supports data re-creation in a decentralized manner. These data sources include security recommendations released by Linux and BSD distributions, application package managers and package repositories, FOSS projects, GitHub, and so on. As a result of this approach, data is concentrated on a specific ecosystem, but aggregated in a single database, making it possible to query richer diagrams between code packages. Specificity improves the accuracy and validity of data because upstream packets of the same version across different ecosystems may or may not be affected by the same vulnerability.

The tool uses Package URL PURL as the primary identifier instead of CPE. VulnerableCode's primary access to data is through REST API.

In addition, the tool provides an advanced Web interface to help users better browse and search vulnerability databases, gradually achieve community management of data by adding new packages and vulnerabilities, and review and update their relationships.

Tool installation & configuration

We need to clone the project source code locally using the following command:

Git clone https://github.com/nexB/vulnerablecode.gitcd vulnerablecode uses Docker Compose

The easiest way to install VulnerableCode is to use the Docker container and Docker Compose. With the Docker engine and Docker Compose installed, we can start VulnerableCode with the following command:

Sudo docker-compose up

Next, you can access VulnerableCode at the following address:

Http://localhost:8000/http://127.0.0.1:8000/

Don't forget to run the shrimp command to synchronize your instance after each git pull:

Sudo docker-compose up-d-- no-deps-- build web

We can then access the VulnerableCode container using the following command, where we can access manage.py and run administrative commands to import data:

Sudo docker-compose exec web bash local installation

System requirements:

Python 3.8 +

PostgreSQL 9 +

Compilation tool chains and development files for Python and PostgreSQL

On Debian-based distribution systems, you can install and configure VulnerableCode using the following commands:

Sudo apt-get install python3-venv python3-dev postgresql libpq-dev build-essentialsudo-u postgres createuser-- no-createrole-- no-superuser-- login\-- inherit-- createdb-- pwprompt roomablecode``cr eatedb-- encoding=utf-8-- owner=vulnerablecode-- user=vulnerablecode\-- password-- host=localhost-- port=5432 vulnerablecodepython3-m venv venvsource venv/bin/activatepip install-r requirements.txtDJANGO_DEV=1 python manage.py collectstaticDJANGO_DEV=1 python manage.py migrate run the test

The following commands run code style tests and test cases:

Black-l 100-- check .DJANGO _ DEV=1 python-m pytest data Import

Some data import tools use GitHub API. First, we need to export the GH_TOKEN environment variable using the following command:

Export GH_TOKEN=yourgithubtoken

Run all data importers:

DJANGO_DEV=1 python manage.py import-all

Enumerate all available importers:

DJANGO_DEV=1 python manage.py import-list

Run the specified importer:

DJANGO_DEV=1 python manage.py import rust npmREST API access

Turn on the Web server:

DJANGO_DEV=1 python manage.py runserver

Get the complete documentation on the API node:

Http://127.0.0.1:8000/api/docs continuous periodic data import

If you want to import data on a regular basis, you can use a system timer:

$cat ~ / .config/systemd/user/vulnerablecode.service [Unit] Description=Update vulnerability database [Service] Type=oneshotEnvironment= "DJANGO_DEV=1" ExecStart=/path/to/venv/bin/python / path/to/vulnerablecode/manage.py import-- all $cat ~ / .config/systemd/user/vulnerablecode.timer [Unit] Description=Periodically update vulnerability database [Timer] OnCalendar=daily [Install] WantedBy=multi-user.target

Once configured, you can start the timer using the following command:

Systemctl-- user daemon-reloadsystemctl-- user start vulnerablecode.timer project address

VulnerableCode: https://github.com/nexB/vulnerablecode

references

Https://nvd.nist.gov/products/cpe

Https://github.com/nexB/vulnerablecode/blob/main/SOURCES.rst

Https://github.com/package-url/purl-spec

Https://github.com/nexB/vulnerablecode/blob/main/docs/Why-Is-There-No-Free-Software-Vulnerability-Database-v1.0.pdf

Https://docs.docker.com/get-docker/

Https://docs.docker.com/compose/install/#install-compose

Https://nixos.org/download.html

Https://github.com/DavHau/mach-nix

Https://github.com/DavHau/pypi-deps-db

Https://docs.github.com/en/free-pro-team@latest/github/authenticating-to-github/creating-a-personal-access-token

At this point, I believe you have a deeper understanding of "how to use VulnerableCode to view FOSS software code packages affected by vulnerabilities". You might as well do it in practice. Here is the website, more related content can enter the relevant channels to inquire, follow us, continue to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.