Find vulnerabilities (Web UI)

This tutorial aims to show you how to integrate VulnerableCode with ScanCode.io and how to discover vulnerable packages using the find_vulnerabilities pipeline.

Note

This tutorial assumes that you have a working installation of ScanCode.io. If you don’t, please refer to the Installation page.

Configure VulnerableCode integration

Warning

The find_vulnerabilities pipeline requires access to a VulnerableCode database.

You can either run your own instance of VulnerableCode or connect to the public one. Authentication is provided using an API key that you can obtain by registering at https://public.vulnerablecode.io/account/request_api_key/

Set the VULNERABLECODE_URL and VULNERABLECODE_API_KEY in your local settings:

• in the docker.env file if your run with docker

• in the .env for a local development deployment

For example:

VULNERABLECODE_URL=https://public.vulnerablecode.io/
VULNERABLECODE_API_KEY=c1fa7dc1fd0a408880ba2dfdf63c1124abca9477

Note

Optionally contact nexB support at support@nexb.com with your API user email if you are doing a larger scale evaluation and need to ease API throttling limitations.

Run the find_vulnerabilities pipeline

Open any of your existing projects containing a few detected packages.

Note

If you do not have any projects available, please start with this tutorial: Analyze Docker Image (Web UI)

• Click on the “Add pipeline” button and select the “find_vulnerabilities” pipeline from the dropdown list. Check the “Execute pipeline now” option and validate with the “Add pipeline” button.

• Once the pipeline run completes with success, you can reach the Packages list view by clicking the count number under the “PACKAGES” header:

• A red bug icon is displayed next to all packages for which declared vulnerabilities were found:

• Click red bug icon to reach the vulnerability details for this package: