I recently wrote for opensource.com on A new generation of tools for open source vulnerability management (the above image is credited to opensource.com).
This is my first article written there and while the article itself tends to be vendor-agnostic, this truly is an article about Red Hat Product Security team's use of tooling for vulnerability management and the evolution of the same. We went from no tools, to commandline tools that manipulated Bugzilla, to a monolithic web-based tool (that also manipulated Bugzilla) to a suite of discrete tools to handle vulnerability management with a proper database and proper front-end tools. The reliance on Bugzilla was historical and we're really looking forward to getting rid of it as our "database" because it never should have been.
But you iterate and learn, and the thing I'm most excited about is these tools are now being developed in the open and can benefit others, which none of the earlier tools with their reliance on our modified Bugzilla could do. So if you're interested in vulnerability response tooling, I'd encourage you to read the above article, checkout the linked github repos (noted below for convenience) and see if there is something you can use or contribute to!
- Component Registry: which is used to store all of the component information across any number of products and services
- OSIDB: the Open Security Issue Database, is the database to store all vulnerability data
- OpenLCS: the Open License and Crypto Scanner, is the tool to obtain license and cryptography information from shipped components