COSMOS enables an enterprise to monitor known vulnerabilities in the open source libraries that its applications use. It consists of a command line tool for CI/CD integration that registers an app’s open source libraries, a Python Flask-RestX API for storing project and vulnerability information, a harvester for downloading the most up-to-date vulnerability information from NIST’s National Vulnerability Database (NVD), and a React UI. Each service is containerized and deployable to a Cloud-hosting service.
COSMOS was developed at the National Geospatial-Intelligence Agency (NGA) by federal government employees in the course of their official duties, so it is not subject to copyright protection and is in the public domain in the United States.
You are free to use the core public domain portions of COSMOS for any purpose. Modifications back to the cores of any dependency functions are subject to the original licenses and are separate from the core public domain work of COSMOS.
NGA is posting code created by government officers in their official duties in transparent platforms to increase the impact and reach of taxpayer-funded code. NGA is also posting COSMOS to increase the amount of free and open cyber-security tools available to bolster cyber-security health more broadly.
If you'd like to contribute to this project, please make a pull request. We'll review the pull request and discuss the changes. This project is in the public domain within the United States and all changes to the core public domain portions will be released back into the public domain. By submitting a pull request, you are agreeing to comply with this waiver of copyright interest. Modifications to dependencies under copyright-based open source licenses are subject to the original license conditions.
Please see repo "third_party" for dependencies list