(last updated: 2019-03-28 )
The vulnerable code database (Vulncode-DB) is a database for vulnerabilities and their corresponding source code if available. The database extends the NVD / CVE data sets with user-supplied information regarding patch links, vulnerable code offsets and descriptions. Particularly, the database intends to make real-world examples of vulnerable code universally accessible and useful.
The underlying code is open-sourced at github.com/google/vulncode-db.
Please note: Vulncode-DB is not an officially supported Google product and this is an experimental alpha version mostly for demonstration purposes. The application might be unreliable, contains many bugs and is not feature complete. Please set your expectations accordingly.
You can stay updated at twitter.com/vulncodedb.
To make real-world examples of vulnerable code universally accessible and useful. Particular subgoals include:
Educate on how vulnerabilities look like in code and how to spot them. Provide a central place to showcase how vulnerabilities look like in detail. Ever wanted to improve your code auditing abilities? This could become a place where you can start to do so.
Create a real-world data set on vulnerable (open-source) code for tooling and research purposes. Currently, there seems to be no high-quality and real-world data available for this purpose. This data might be useful for research areas like static source code analysis.
Optimally, this project would provide you with all relevant code passages and short descriptions which are relevant for understanding the details of vulnerabilities.
raw vulnerability data without a known patch (this includes proprietary software). Example: VideoLAN VLC media player bug.
The database makes use of the following data sources:
To provide useful context it scans for patch references and makes relevant repository contents directly available.
Please note: Contributing annotations is currently disabled. Please see a rough demo for the intended interface here.
Please create a bug / feature request at: github.com/google/vulncode-db/issues. Alternatively, as this is an open source project you're more than welcome to create a pull request.
Please take a look at github.com/google/vulncode-db/blob/master/README.md.
Yes it's planned to provide the project's data over APIs. Additionally, we want to provide regular database dumps.
Any feedback is super welcome. Please feel free to spread the word, contact us or to contribute pull requests to github.com/google/vulncode-db.
First, we would like to see the feedback and interest in this project. However, some of the major next milestones would be: