Vulnerability comes from the Latin word for "wound," vulnus. Vulnerability is the state of being open to injury, or appearing as if you are. - vocabulary.com
This application allows you to identify open source dependencies and determine if there are any known, publicly disclosed, vulnerabilities on packages used by your application.
This works by calling the public service at https://ossindex.sonatype.org/ which uses data derived from public sources so its worth checking out their warnings, disclaimers and rate limiting processes.
Locally you can run VulnusCloud\Docker-VulnusCloud\run.ps1 which will use docker compose to setup the environment. Its probably a good idea to add a parameter to also be able to build from source instead of pulling the compiled carlpaton/vulnuscloud image...
Parameter -Reset will tear down all the infrastructure and start from scratch.
Then access the UI from http://localhost:8080/ the steps would then be
- Create your project(s)
- Upload packages file (see supported packages below)
- Reporting
- Note that the OSS Index API has rate limiting, so if you see
Too Many Requeststhe application will automagically retry.
- Note that the OSS Index API has rate limiting, so if you see
Master branch is built and available to pull from docker hub.
docker pull carlpaton/vulnuscloudBasic reporting to screen should be fine for now, dumping to .XLSX or .PDF shouldn't be too hard, from the below you would click the the project, then the version uploaded (stored by date) and finally into the actual vulnerabilities.
| Eco System | Type or location | File Format/Name |
|---|---|---|
| NuGET | packages.config (Legacy) | packages.config |
| NuGET | Package Reference in project file (.Net) | [project name].csproj |
| NPM | \packages\AppName\web\client | package.json |