@@ -23,267 +23,44 @@ ecosystem.
2323
2424.. image :: README.gif
2525
26- Why?
27- ----
28-
29- The existing solutions are commercial proprietary vulnerability databases, which
30- in itself does not make sense because the data is about FOSS (Free and Open
31- Source Software).
32-
33- The National Vulnerability Database which is a primary centralized data source
34- for known vulnerabilities is not particularly well suited to address FOSS
35- security issues because:
36-
37- 1. It predates the explosion of FOSS software usage
38- 2. It's data format reflects a commercial vendor-centric point of view in part
39- due to the usage of `CPE <https://nvd.nist.gov/products/cpe >`__ to map
40- vulnerabilities to existing packages.
41- 3. CPEs are just not designed to map FOSS to vulnerabilities owing to their
42- vendor-product centric semantics. This makes it really hard to answer the
43- fundamental questions "Is package foo vulnerable" and "Is package foo
44- vulnerable to vulnerability bar?"
45-
46- How
47- ---
48-
49- VulnerableCode independently aggregates many software vulnerability data sources
50- and supports data re-creation in a decentralized fashion. These data sources
51- (see complete list `here <./SOURCES.rst >`_) include security advisories
52- published by Linux and BSD distributions, application software package managers
53- and package repositories, FOSS projects, GitHub and more. Thanks to this
54- approach, the data is focused on specific ecosystems yet aggregated in a single
55- database that enables querying a richer graph of relations between multiple
56- incarnations of a package. Being specific increases the accuracy and validity
57- of the data as the same version of an upstream package across different
58- ecosystems may or may not be vulnerable to the same vulnerability.
59-
60- The packages are identified using Package URL `PURL
61- <https://github.com/package-url/purl-spec> `__ as primary identifiers rather than
62- CPEs. This makes answers to questions such as "Is package foo vulnerable
63- to vulnerability bar?" much more accurate and easy to interpret.
64-
65-
66- The primary access to the data is through a REST API.
67-
68- In addition, an emerging web interface goal is to support vulnerabilities data
69- browsing and search and progressively to enable community curation of the data
70- with the addition of new packages and vulnerabilities, and reviewing and
71- updating their relationships.
72-
73- We also plan to mine for vulnerabilities which didn't receive any
74- exposure due to various reasons like but not limited to the complicated
75- procedure to receive CVE ID or not able to classify a bug as a security
76- compromise.
77-
78- Recent presentations:
79-
80- - `Open Source Summit 2020 <docs/Why-Is-There-No-Free-Software-Vulnerability-Database-v1.0.pdf >`__
81-
82-
83-
84- Setting up VulnerableCode
85- -------------------------
86-
87- First clone the source code::
88-
89- git clone https://github.com/nexB/vulnerablecode.git
90- cd vulnerablecode
91-
92-
93- Using Docker Compose
94- ~~~~~~~~~~~~~~~~~~~~~~
95-
96- Please find the docker documentation in `Docker Installation <https://vulnerablecode.readthedocs.io/en/latest/getting-started/docker_installation.html >`__
26+ Getting started
27+ ---------------
9728
98- TL;DR
99- """"""
29+ Run with Docker
30+ ^^^^^^^^^^^^^^^^
10031
10132.. code-block :: bash
10233
10334 git clone https://github.com/nexB/vulnerablecode.git && cd vulnerablecode
10435 make envfile
10536 docker-compose build
10637 docker-compose up
38+ docker-compose run vulnerablecode ./manage.py import --list
10739
108-
109-
110-
111- Without Docker Compose
112- ~~~~~~~~~~~~~~~~~~~~~~
113-
114- **System requirements **
115-
116- - Python 3.8+
117- - PostgreSQL 9+
118- - Compiler toolchain and development files for Python and PostgreSQL
119-
120- On Debian-based distros, these can be installed with::
121-
122- sudo apt-get install python3-venv python3-dev postgresql libpq-dev build-essential
123-
124-
125- **Database configuration **
126-
127- - Create a user named ``vulnerablecode ``. Use ``vulnerablecode `` as password
128- when prompted::
129-
130- sudo -u postgres createuser --no-createrole --no-superuser --login \
131- --inherit --createdb --pwprompt vulnerablecode``
132-
133- - Create a databased named ``vulnerablecode ``::
134-
135- createdb --encoding=utf-8 --owner=vulnerablecode --user=vulnerablecode \
136- --password --host=localhost --port=5432 vulnerablecode
137-
138-
139- **Application dependencies **
140-
141- Create a virtualenv, install dependencies, generate static files and run the database migrations::
142-
143- make envfile
144- python3 -m venv venv
145- source venv/bin/activate
146- pip install -r requirements.txt
147- python manage.py collectstatic
148- python manage.py migrate
149-
150-
151- For a production mode, an environment variable named ``SECRET_KEY `` needs to be
152- set. The recommended way to generate this key is to use the code Django includes
153- for this purpose::
154-
155- SECRET_KEY=$(python -c "from django.core.management import utils; print(utils.get_random_secret_key())")
156-
157- You will also need to setup the `ALLOWED_HOSTS ` array inside `vulnerablecode/settings.py ` according to
158- [django specifications](https://docs.djangoproject.com/en/3.2/ref/settings/#allowed-hosts). One example would be:
159- .. code-block :: python
160-
161- ALLOWED_HOSTS = [' vulnerablecode.your.domain.example.com'
162-
163- , `)
164-
165- Using Nix
166- ~~~~~~~~~
167-
168- You can install VulnerableCode with `Nix <https://nixos.org/download.html >`__
169- (`Flake <https://nixos.wiki/wiki/Flakes >`__ support is needed)::
40+ 8000 `` on your Docker host.
17041
171- cd etc/nix
172- nix-shell -p nixFlakes --run "nix --print-build-logs flake check " # build & run tests
42+ Local development installation
43+ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
17344
174- There are several options to use the Nix version::
175-
176- # Enter an interactive environment with all dependencies set up.
177- cd etc/nix
178- nix develop
179- > ../../manage.py ... # invoke the local checkout
180- > vulnerablecode-manage.py ... # invoke manage.py as installed in the nix store
181-
182- # Test the import prodecure using the Nix version.
183- etc/nix/test-import-using-nix.sh --all # import everything
184- # Test the import using the local checkout.
185- INSTALL_DIR=. etc/nix/test-import-using-nix.sh ruby # import ruby only
186-
187-
188- **Keeping the Nix setup in sync **
189-
190- The Nix installation uses `mach-nix <https://github.com/DavHau/mach-nix >`__ to
191- handle Python dependencies because some dependencies are currently not available
192- as Nix packages. All Python dependencies are automatically fetched from
193- ``./requirements.txt ``. If the ``mach-nix ``-based installation fails, you might
194- need to update ``mach-nix `` itself and the `pypi-deps-db
195- <https://github.com/DavHau/pypi-deps-db> `_ version in use (see
196- ``etc/nix/flake.nix:inputs.machnix `` and ``machnixFor.pypiDataRev ``).
197-
198- Non-Python dependencies are curated in::
199-
200- etc/nix/flake.nix:vulnerablecode.propagatedBuildInputs
201-
202-
203-
204- Run Tests
205- ---------
206- Make sure to install dev dependencies by running ``pip install -r requirements-dev.txt ``
207- Use these commands to run code style checks and the test suite::
208-
209- black -l 100 --check .
210- python -m pytest
211-
212-
213- .. _Data import :
214-
215- Data import
216- -----------
217-
218- Some data importers use the GitHub APIs. For this, export the ``GH_TOKEN ``
219- environment variable with::
220-
221- export GH_TOKEN=yourgithubtoken
222-
223- If you are running behind a proxy, you will need to setup the standard ``https_proxy `` variable.
224-
225- export https_proxy=https?://<proxy>:<port>
226-
227- See `GitHub docs
228- <https://docs.github.com/en/free-pro-team@latest/github/authenticating-to-github/creating-a-personal-access-token> `_
229- for instructions on how to obtain your GitHub token.
230-
231- To run all data importers use::
232-
233- python manage.py import --all
234-
235- To list available importers use::
236-
237- python manage.py import --list
238-
239- To run specific importers::
240-
241- python manage.py import rust npm
242-
243-
244- REST API access
245- ---------------
246-
247- Start the webserver::
248-
249- python manage.py runserver
250-
251-
252- For full documentation about API endpoints use this URL::
253-
254- http://127.0.0.1:8000/api/docs
255-
256-
257-
258- Continuous periodic Data import
259- -------------------------------
260-
261-
262- If you want to run the import periodically, you can use a systemd timer::
263-
264- $ cat ~/.config/systemd/user/vulnerablecode.service
265-
266- [Unit]
267- Description=Update vulnerability database
268-
269- [Service]
270- Type=oneshot
271- ExecStart=/path/to/venv/bin/python /path/to/vulnerablecode/manage.py import --all
272-
273- $ cat ~/.config/systemd/user/vulnerablecode.timer
45+ .. code-block :: bash
27446
275- [Unit]
276- Description=Periodically update vulnerability database
47+ sudo apt-get install \
48+ python3-venv python3-dev postgresql libpq-dev build-essential
49+ git clone https://github.com/nexB/vulnerablecode.git && cd vulnerablecode
50+ make dev envfile postgres
51+ make test
52+ make run
27753
278- [Timer]
279- OnCalendar=daily
54+ 8000 `` on your machine.
28055
281- [Install]
282- WantedBy=multi-user.target
56+ Populate VulnerableCode data
57+ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
28358
59+ To run all importers and improvers use:
28460
285- Start this "timer" with::
61+ .. code-block :: bash
28662
287- systemctl --user daemon-reload
288- systemctl --user start vulnerablecode.timer
63+ ./manage.py import --all
64+ ./manage.py improve --all
28965
66+
0 commit comments