Public registry (database or API) for known security vulnerabilities in open source software?

Question

Is there a reliable, public registry (preferably in the form of an API) that records known security vulnerabilities in open source software?

Why would anyone want this?

I'm trying to emulate github's dependabot on a local server. It simply scans all repositories and checks dependencies for updates, and alerts the maintainer, but I have no way to tell them of the update's severity. Most updates are completely innocuous (and not urgent at all). Yet a small portion are extremely serious and should be actioned immediately.

Ultimately, I would like to find a programatic way of determining which open source library updates are regular updates vs which ones contain vital security updates (i.e. without a human having to research each one).

For reference, here's an example of what dependabot does (note the right hand side where it shows the severity of updates)

Answer 1

There are multiple sites that track "CVEs" (Common Vulnerabilities and Exposures), though I believe MITRE maintains the canonical list. You can also look up the National Vulnerability Database from NIST (part of the US government), which contains all CVEs (and possibly other findings too?) which has feeds for new vulnerabilities.

These databases include open-source software, and also proprietary software that uses open-source components, but also any assigned vulns in fully proprietary software. I've never tried to use an API from either of them, but it's probably possible (the web UI supports various kinds of searching and filtering, so if nothing else you should be able to screen-scrape). Note however that these are definitely not comprehensive lists; most security bugs (especially if they are low impact or unlikely to affect many users, due to being in niche software and/or patched immediately with minimal exposure) never get assigned a CVE or similar.

Answer 2

The GitHub Advisory Database shows security vulnerabilities for:

• Composer
• Maven
• npm
• NuGet
• pip and
• RubyGems

This is obviously not a comprehensive list of security vulnerabilities in all open source software, but it's a start.