Find open source vulnerabilities,
with VulnerableCode.

VulnerableCode is a package-first vulnerability management solution, based on open data and FOSS tools, to automate search for FOSS vulnerabilities and improve the security of software applications.

Address key security concerns for using FOSS code in modern applications.

Automate search for FOSS security vulnerabilities, utilizing a free and open database of FOSS package vulnerabilities.

Aggregate and correlate vulnerability data from many sources.

 Access the data through a REST API.

 Based on open data and FOSS tools.

Search aggregated vulnerability data, across data sources.

Includes security advisories published by Linux distributions, software package managers and package repositories, FOSS projects, GitHub, and more.

Focused on specific ecosystems, but aggregated in a single database to query a richer graph of relations between multiple versions of a package

Specificity increases the accuracy and validity of the data as the same version of an upstream package across different ecosystems may or may not be vulnerable to the same vulnerability.

Supports decentralized data re-creation, using tools that can detect and report FOSS packages using a Package-URL (PURL).

Efficiently investigate and triage vulnerabilities.

Quickly identify vulnerability fixes for your software stack.

Continuously monitor for vulnerabilities with open data.

See aggregated vulnerability data from multiple sources to accelerate analysis.

Use a Package-URL (PURL) to reliably identify, locate, and provision software packages across different tools, programming languages, package managers, packaging conventions, APIs, and databases.

Ensure compliance with customer, regulatory, and SBOM requirements.

Free and open data to ensure tools you use and produce can continuously look up vulnerability information without the limitations of commercial or proprietary databases.

Integrate with other tools for code analysis of vulnerability impact, by easily providing data using a PURL:

  • ScanCode Toolkit scans package manifest. files
  • DejaCode automatically checks all product package for vulnerabilities.
  • Other options include ORT, OWASP tools, and many more.

For a quick look, use the UI. Or go deeper with the API.

Automate search for open source security vulnerabilities, with VulnerableCode:

Search quality vulnerability data, aggregated across many data sources:

  • Use the UI for a specific package or vulnerability.
  • Use the API for the vulnerabilities of an entire dependency tree.

 Quickly identify vulnerability fixes for your stack and continuously monitor vulnerabilities with open data.

 Integrate vulnerability data easily into the AboutCode stack or other PURL-based tools.

Open source is made possible by contributions from people like you!

The AboutCode stack is 100% open source and uses 100% open data. We are committed to the principles of open development. But we need your help.

We could really use your help to pay the folks building these open source projects. Sponsoring AboutCode projects on GitHub goes directly to the maintainers and developers working on open source AboutCode projects.

Need more hands-on support? Get help from the experts! nexB offers advanced support plans and other professional services.