Open Source Vulnerability Databases
One of the first steps in protecting your company’s software applications against known security vulnerabilities is to scan your code base, creating an inventory of the open source components you have in use. Next, you must continually compare this code bill of materials (BOM) to various vulnerability databases.
The following vulnerability databases collectively provide the most comprehensive data available and are all leveraged through Black Duck Hub's lightweight open source scanning, tracking, and monitoring solution.
National Vulnerability Database (NVD)
The National Vulnerability Database (NVD) is a public resource, managed by the US government, tracking security vulnerabilities reported for all types of software. Black Duck leverages information tracked in the NVD to help automate and manage open source security.
- Black Duck leverages the NVD to identify and send alerts about vulnerabilities associated with open source components in use within your codebase
- Reported vulnerabilities include a severity ranking that can also be used to filter alerts and workflow
- Black Duck delivers NVD information during component selection and approval, enabling developers and approvers to have early visibility into any known security vulnerabilities
The NVD tracks data for commonly used operating systems, applications, and software components, including OSS. It is the result of continuous collaboration between the software industry and the multi-agency Information Security Automation Program (ISAP). NVD is a product of the National Institute of Standards and Technology (NIST) Computer Security Division and is sponsored by the Department of Homeland Security’s National Cyber Security Division. It supports the U.S. government multi-agency (OSD, DHS, NSA, DISA and NIST) Information Security Automation Program. It is the U.S. government content repository for the Security Content Automation Protocol (SCAP).
Open Source Vulnerability Database (OSVDB)
Founded in 2002, OSVDB is an independent and open source web-based vulnerability database aiming to provide accurate, detailed, current, and unbiased technical information on open source security vulnerabilities. Currently tracking over 120,980 open source vulnerabilities, spanning 198,973 products from 4,735 researchers, over 113 years, the project arguably has the most comprehensive open source-specific vulnerability data available today.
Run by Risk Based Security, in partnership with the Open Security Foundation, VulnDB is a most timely, high quality vulnerability intelligence database, tracking:
- Over 118,000 open source vulnerabilities
- Vulnerabilities posted within 24-hours
- Deeper vulnerability data
Embedded in the Black Duck Hub, customers will have automatic access to premium vulnerability intelligence mapped to the open source software they use.