Is there a tool to track CVEs for the software that we use?

1. DependencyCheck

   1 12 3 9.8 Java

   Discontinued The dependency-check repository has moved:

   

2. Stream

   getstream.io featured

   Stream - Scalable APIs for Chat, Feeds, Moderation, & Video. Stream helps developers build engaging apps that scale to millions with performant and flexible Chat, Feeds, Moderation, and Video APIs and SDKs powered by a global edge network and enterprise-grade infrastructure.

   

3. Spotbugs

   2 19 3,688 9.6 Java

   SpotBugs is FindBugs' successor. A tool for static analysis to look for bugs in Java code.

   

   While at it you could also point them to static code analyzers such as error_prone, spotbugs and pmd (use all 3 at once - they complement each other in detecting different issues).

4. PMD

   3 24 5,147 9.9 Java

   An extensible multilanguage static code analyzer.

   

   While at it you could also point them to static code analyzers such as error_prone, spotbugs and pmd (use all 3 at once - they complement each other in detecting different issues).

5. Error Prone

   4 18 7,004 9.7 Java

   Catch common Java mistakes as compile-time errors

   

   While at it you could also point them to static code analyzers such as error_prone, spotbugs and pmd (use all 3 at once - they complement each other in detecting different issues).

6. vulnmine

   5 1 38 0.0 Python

   Vulnmine searches for vulnerable hosts using MS SCCM host / software inventory data with NIST NVD Vulnerability feed data.

   

   It is hard. Look at vulmine and the logic behind it for feeding SCCM reports into it.

7. opencve

   6 21 2,095 8.9 Python

   Open-source CVE monitoring and alerting platform

   

   there's also https://www.opencve.io/ which can be selfhosted if wanted

8. openvas-scanner

   7 9 3,949 9.7 Rust

   This repository contains the scanner component for Greenbone Community Edition.

   

   I don't recommend cheaping out on vuln scanning, but if you really can't get any money there's always OpenVAS. That will allow you to do credentialed scanning and track vulnerabilities in your environment. It's no real substitute for Tenable or similar, but it's better than nothing.

9. InfluxDB

   www.influxdata.com featured

   InfluxDB – Built for High-Performance Time Series Workloads. InfluxDB 3 OSS is now GA. Transform, enrich, and act on time series data directly in the database. Automate critical tasks and eliminate the need to move data externally. Download now.

   

10. Wazuh

    8 157 12,868 10.0 C

    Wazuh - The Open Source Security Platform. Unified XDR and SIEM protection for endpoints and cloud workloads.

    

    Hi, Wazuh employee here! I think that you might be interested in implementing Wazuh in your company, it's an open-source SIEM that allows you to monitor not only the CVEs that could affect the software that your company uses, but also misconfigurations that could lead to attacks from malicious actors, intrusion detection -such as detecting brute-forcing attacks-, and many other interesting capabilities.

Suggest a related project