opencve
cvelistV5
opencve | cvelistV5 | |
---|---|---|
21 | 5 | |
1,641 | 502 | |
2.8% | 18.3% | |
4.1 | 4.8 | |
2 days ago | 3 days ago | |
Python | ||
GNU General Public License v3.0 or later | - |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
opencve
- Auth0 increases price by 300%
- how to stay up to date with new CVEs?
- Where do you get your information regarding new vulnerabilities and security risks?
-
PaperCut MF/NG vulnerability
Don't like someone else running it? No problem, it's open source and you can run it yourself https://github.com/opencve/opencve
-
Tracking vulnerabilities that your company is effected by.
I use https://www.opencve.io you can make a account and then subscribe to different products and/or vendors to get automated updates via mail if there are new vulnerabilities that affect these products
-
Getting informed about exploits / CVEs
www.opencve.io and filter on your vendors and hw models.
- CVE sources
-
CVE Vulnerability Tracking
Check out OpenCVE, I find it as an excellent tool.
-
zero-day exploit notifications
https://www.opencve.io/ - Site that allows you to be emailed of new CVEs by subscribing to different products and vendors.
-
CVE Search
https://www.opencve.io/ is something to use as well.
cvelistV5
-
Maccarone: AI-managed code blocks in Python
We, as an industry, didn't stop shipping bugs. (Small example: https://github.com/CVEProject/cvelistV5/releases)
And that thorough code review prevents bugs is, at best, a debatable assertion. See e.g. https://www.microsoft.com/en-us/research/publication/code-re...
It finds _some_ bugs. CI/CD, and a massive investment in automated testing has probably had the largest impact in moving software quality forward. (See e.g. "Accelerate", Forsgren, Humble & Kim)
Code review is an excellent tool to socialize knowledge and train up more junior engineers, but in terms of preventing bugs, it's low-value.
-
"Mirror" of the soon to be deprecated NIST NVD CVE Feeds
There seems to be new repository in a new JSON format: https://github.com/CVEProject/cvelistV5
-
Please don't use GPT for Security Guidance
Meanwhile, over here, I just stare at https://github.com/CVEProject/cvelistV5 and mumble "any reasonable dev, front of mind".
-
On the uselessness of MITRE's CVE List
The issues I filed in the cvelistV5 repo are also unanswered, so I guess nobody gives a damn.
-
Rage about CVE dataset quality(?)
118955 entries don't even have an affected vendor/product software field, and neither with a valid version string and/or condition. They only contain plaintext descriptions and no version matching field either. Filed an issue here about it.
What are some alternatives?
grype - A vulnerability scanner for container images and filesystems
maccarone - AI-managed code blocks in Python ⏪⏩
vulnix - Vulnerability (CVE) scanner for Nix/NixOS.
Loki - Loki - Simple IOC and YARA Scanner
vulnmine - Vulnmine searches for vulnerable hosts using MS SCCM host / software inventory data with NIST NVD Vulnerability feed data.
cve-schema - This repository is used for the development of the CVE JSON record format. Releases of the CVE JSON record format will also be published here. This repository is managed by the CVE Quality Working Group.
CVE-2021-37740 - PoC for DoS vulnerability CVE-2021-37740 in firmware v3.0.3 of SCN-IP100.03 and SCN-IP000.03 by MDT. The bug has been fixed in firmware v3.0.4.
gsd-tools - Global Security Database Tools
openvas-scanner - This repository contains the scanner component for Greenbone Community Edition.
cvelist - Pilot program for CVE submission through GitHub. CVE Record Submission via Pilot PRs ending 6/30/2023
DependencyCheck - OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.
vulnerablecode - A free and open vulnerabilities database and the packages they impact. And the tools to aggregate and correlate these vulnerabilities. Sponsored by NLnet https://nlnet.nl/project/vulnerabilitydatabase/ for https://www.aboutcode.org/ Chat at https://gitter.im/aboutcode-org/vulnerablecode Docs at https://vulnerablecode.readthedocs.org/