Black Duck Security Advisories provide more-accurate information on vulnerable software version ranges to help customers get more out of NVD data.
**Disclaimer** The information contained within this blog post was accurate at the time of writing.
The National Vulnerability Database (NVD) is considered the go-to source for accurate information on vulnerability management data, including vulnerable open source software versions. But is it the most accurate and thorough source?
The full range of vulnerable software versions is considered the most important and useful vulnerability data—it’s vital for determining whether a given piece of software is within the range of versions affected by a vulnerability. There is no room for error when identifying vulnerable ranges. Inaccuracies can lead to false alarms, or worse, the release of misleading information that software is fixed or safe when in fact it is vulnerable.
But the vulnerable ranges that the NVD identifies are often too short or too long, meaning that vulnerable versions may be missed, or a fixed version may be included. Black Duck® Security Advisories (BDSAs), created by the Synopsys Cybersecurity Research Center (CyRC), address this issue by performing thorough research from public sources and tracing vulnerable code within source repositories. These techniques enable the CyRC to discover more-precise vulnerable version ranges and produce BDSAs with more accurate and secure information to customers.