The Common Vulnerabilities and Exposures (CVE) system is a popular reference system used to catalog disclosed vulnerabilities and exploits.
This dictionary of publicly known cybersecurity vulnerabilities makes sharing data across separate network security databases and tools easier and provides a baseline for evaluating the coverage of an organization’s security tools.
Since the nature of open-source vulnerabilities is fundamentally different than those found in proprietary code, the information on open-source vulnerabilities is distributed among many different databases, repositories, and issue trackers, which makes life for security and development teams much harder when it comes to manually detect which of their open source components are vulnerable.
To get a sense of where security professionals should be looking for information about new open-source vulnerabilities, we present several key resources to follow:
1. CVE Database by MITRE
The CVE database program was launched in 1999 by the MITRE Corporation, a nonprofit organization with U.S. government funding (DHS). The program aims to catalog and identify all known vulnerabilities for open-source and commercial components. The CVE uses a claim-based model to vet new vulnerabilities or exposures submitted by researchers or project managers. Based on their credibility, they may be asked to provide evidence of a demonstrated negative impact, such as an example/scenario where the flaw is exploitable. The stronger the claim, the more likely they will get a CVE ID.
2. NVD by NIST
The NVD is maintained by the U.S. government’s National Institute for Standards and Technology (NIST) and is responsible for analyzing the vulnerabilities posted on the CVE database. The NVD’s analysis includes determining impact metrics, vulnerability type (CWE), application statements (CPE), and other pertinent metadata. The NVD does not actively perform vulnerability testing, relying on vendors and third-party security researchers to provide information that is then used to assign these attributes. It analyzes the vulnerabilities based on the Common Vulnerability Scoring System (CVSS) method, which works on a 1 (lowest) through 10 (highest) number scale. Currently, the NVD supports both CVSS versions 2 and 3. The NVD is updated within two business days from whenever a new vulnerability is reported to the CVE database, excluding reserved CVEs, as no data is provided in these cases.
3. VulnDB by Risk Based Security
The Open Source Vulnerability Database (OSVDB) initiative was launched in 2004 by Jake Kouns. His idea was to have an independent database that would provide the noncommercial sector with detailed information about vulnerabilities. By some reports, their database contained over 100,000 vulnerabilities in its records.
However, the initiative ran into trouble when commercial enterprises began heavily using the database without supporting it financially, leading to the project shutting down its nonprofit work in April 2016. Kouns later transformed the OSVDB into its commercial iteration under the umbrella of his company, Risk Based Security, relaunching it as VulnDB.
Today, thousands of contributors from the open-source community are no longer maintaining the database but a handful of security researchers. The database is also not publicly available, and companies must buy a subscription. Risk Based Security claims that it has 20% to 25% more known vulnerabilities reported in its database than the CVE listing. However, this claim of the significant gap has never been independently verified.
4. GitHub Issue Tracker
GitHub is arguably the go-to site for developers, hosting 67 million repositories. Developers use the site for sharing and finding open-source components. In 2009, the site launched its GitHub Issue Tracker, where developers could flag issues like vulnerabilities or bugs to bring them to the crowd’s attention with hopes of resolving them.
This method of drawing information from the community is very much in line with the open-source ethos and is downright practical since it sits where the developers already are. It includes important features like allowing the users to vote on which issues they want to see addressed, ideally helping to raise the most pressing issues to the top. Essentially, it cuts the distance between the user and the project manager, making it more likely that vulnerabilities will be reported.
5. Node Security Platform (NSP)
The NSP provides security information in Node.js modules and NPM dependencies. The platform is a suite of security products and tools, of which the advisory is just one aspect. Their database receives information from a large, active community and draws from the scans it does on NPM modules.
7. Linux Security
Linux Security is the largest vulnerability database related to Linux components. Categorized per Linux distribution, it covers almost 20 Linux distributions. Like all other major advisories, it is fed by the community and NVD scanning solutions.
RubySec provides security resources and information for the Ruby community. Their advisory database sources vulnerability classes and root causes information from their community and NVD scans from tested and trusted open-source Ruby projects and applications.