One of the main benefits when it comes to open source projects, as defined by Linus’ law , is that all bugs are shallow given enough eyeballs. The open source community has been living up to this statement recently, with the accelerated rate of discoveries of open source vulnerabilities reported by such databases as the NVD, security advisories and other open source vulnerability databases.
The problem is those reported open source vulnerabilities are not published in only one place. After all, open source is a bazaar. With no rules or upper management to dictate one strict line of vulnerabilities publication.
Open Source Vulnerability Databases
The NVD is by far the main database for researching vulnerabilities. But it’s by no means the only open source vulnerability database. In order to detect all known open source vulnerabilities in your software, as quickly as possible, you need to extend your reach beyond the NVD.
Here are the top databases available today for open source vulnerabilities:
1. NVD (National Vulnerability Database)
The NVD, established by the US government in 2005, is the main database when it comes to open source vulnerabilities. Whether you’re trying to understand if a certain component is vulnerable, or want more information on a reported CVE.
The NVD does not publish vulnerabilities, but actually analyzes every CVE published in Mitre’s CVE database. Their analysis contains information like how the vulnerability operates, its impact rating, CVSS score, and links to any available patches/fixes. The CVSS score can help you prioritize any required remediation measures.
2. OSVDB/VulnDB Open Source Vulnerability Database
The OSVDB (open source vulnerability database) was launched in 2004 by Jake Kouhns, the founder and current CISO of Risk Based Security – the company which now operates OSVDB’s commercial version, the VulnDB.
The idea behind the OSVDB was to provide accurate, detailed security vulnerability information for non-commercial use. However, after years of enterprises using the database for commercial use without paying, the community behind OSVDB finally had enough. In April 2016 the OSVDB shut down permanently.
In 2011 Risk-Based Security was formed, and it started to offer a commercial version named VulnDB. This commercial version continues to be maintained by Risk Based Security, but without the strong community that maintained the OSVDB.
The OSVDB/VulnDB is perceived by many in the community as redundant, for the majority of vulnerabilities are also reported in the NVD.
An open searchable database, which aggregates reported vulnerabilities in open source projects from a wide range of sources. It includes the NVD, but goes much broader than merely the NVD as many vulnerabilities are reported in security advisories (see below), and open-source projects issue trackers (see below as well).
The vulnerability database centralizes information and show the following information on each vulnerability: language, CWE type, CVSS score per CVSS v2 and v3.x to explain its severity, verified and suggested fixes from the community, chatter from Twitter feeds, and more explanations on top vulnerabilities.
4. Security Advisories
Security advisories are usually the first place that security professionals and developers look when they have security issues within a specific scope. These security advisories contain many vulnerabilities that do not make it to the CVE/NVD, or it may just take them longer to end up being published there.
Tracking the relevant security advisories according to your programming languages or environment can be very beneficial, as it also provides a lot of information on remediation. Not to mention these sources provide valuable advice on other topics besides open source vulnerabilities.
5. Issue Trackers
Every open source project has its own bug tracker where all project-related issues are posted and discussed. Consequently, if you’re just looking for security vulnerabilities, you’ll have to dig through a load of non-security issues concerning first. But you can be sure to find all you need to know about security vulnerabilities in each open source bug tracker. Just like security advisories, issue trackers are often the first place vulnerabilities are reported when they’re detected.
Furthermore, issue trackers are an easy way to get in touch with a project manager directly. Allowing you to raise a vulnerability with them, and even request assistance.
How to Navigate the Open Source Bazaar
It may seem chaotic with so many databases and multiple sources, but you should concentrate on the good news. The open source community is doing a great job improving the security of open source projects by reporting and fixing security vulnerabilities.
The majority of vulnerabilities are published with a remediation suggestion, like a new patch, new version, system configuration suggestion etc. Furthermore, thousands of open source vulnerabilities are reported, mainly in the NVD, but not only there. So, how can you track all sources to ensure you know about vulnerabilities affecting your open source components, as well as how to remediate them?
Manually? Considering the number open source vulnerability databases out there, this option is virtually impossible. This is why we at WhiteSource truly believe that any company using open source components must have an automated solution to track open source vulnerabilities, as well as notify them of possible remediation.
After all, open source offers great resources to help your organization produce bleeding edge products at ever fast speeds. You just need to leverage the right tool to simplify the complexity of the bazaar, and track all the open source vulnerability databases for you.
This will ensure you always have complete transparency and control regarding your open source components and their vulnerabilities.
And here at WhiteSource, this is exactly what we do.