Improving Vulnerability Assessment through Multiple Vulnerability Sources

Abstract: Finding vulnerabilities in open source code is getting more important with the increasing use of open source. The National Vulnerability Database (NVD) provides a database for public vulnerabilities, or CVEs (Common Vulnerabilities and Exposures), which is a standard for identifying vulnerabilities. NVD is the most common used source for vulnerabilities but there exists other vulnerability sources that often are for specific programming languages or package managers. The package manager Node Package Manager (NPM) has its own vulnerability database, or security advisory as you also can call it. Many of the vulnerabilities on the NPM security advisory overlap with the CVEs on NVD, but there are vulnerabilities that do not exist on NVD, and vice versa. In this thesis I will do a comparison of NVD and the NPM security advisory by looking at the vulnerabilities that overlap and see what information that differ, and also see how many vulnerabilities that only exist on one of the sources. The mapping of the vulnerabilities will be done by looking at their third-party references, and if they have common references they can be mapped to each other. It will also be investigated if vulnerabilities are published earlier on one of the sources. The goal is to find if it is best to use NVD in combination with the NPM security advisory.