Sponsored By

2 New Apps Check for Open Source Software Vulnerabilities2 New Apps Check for Open Source Software Vulnerabilities

WhiteSource and Sonatype unveil free apps businesses can use to check open source code for known security vulnerabilities.

Todd R. Weiss

August 20, 2018

3 Min Read
Security Vulnerability

As open-source software use by businesses continues to spread, so do the security vulnerabilities that all business must watch for as they conduct their operations around the world.

To fight those vulnerabilities, two vendors – WhiteSource and Sonatype – have released free open-source software vulnerability checker applications that will alert IT administrators to a wide range of known security issues in open-source code.

The WhiteSource Vulnerability Checker is built to detect the 50 most critical open-source vulnerabilities published since July, while Sonatype’s DepShield app lets developers and IT administrators check within their open-source GitHub repositories to look for any components that include known vulnerabilities.

The WhiteSource app is a command-line interface tool that can be downloaded and installed to import and scan any software library to check development projects to see if they include any of the last month’s top 50 open-source vulnerabilities. The Vulnerability Checker compiles a detailed report within minutes after scanning the designated libraries in the command line, highlighting detected vulnerabilities, their severity and paths, as well as links to references and suggested fixes, the company said.

Maya Rotenberg, the company’s vice president of marketing, told Channel Futures that the reports created by the app are provided only to the user and not to WhiteSource or any other entities.

“What we are trying to do with this tool is to increase awareness of the crazy amount of open-source software vulnerabilities reported every month,” said Rotenberg.

Maya Rotenberg

Maya Rotenberg

By using the checker on their code, companies can look to see if they are affected by the latest reported vulnerabilities, she added. WhiteSource provides open source security and license compliance management.

Each month, WhiteSource also publishes a related list of the top five open-source software security vulnerabilities and their dangers and fixes. In its latest post about July vulnerabilities, the company includes warnings and information about issues with the Linux kernel, cURL, Samba, Ansible and libpng. The latest vulnerabilities are collected in the WhiteSource database, which is updated continuously from the National Vulnerability Database (NVD), as well as several additional publicly available, peer-reviewed security advisories and issue trackers, the company said.

The Sonatype DepShield vulnerability checker, which is powered by the company’s OSS Index, a vulnerability monitoring service, integrates directly into GitHub repositories and allows developers to easily identify and avoid using open source components with known vulnerabilities, according to the company.

“The need for more secure coding practices has never been greater,” said Wayne Jackson, Sonatype’s CEO. “Developers live, eat, and breathe in GitHub. While developers find value in GitHub’s native dependency graph, they need – and are demanding – more self-help security.”

By scanning public and private GitHub repositories for users and reporting on the results of the scans, Sonatype is enabling some 28 million developers to add an initial layer of defense to protect themselves and other businesses that use their code, Jackson said.

Wayne Jackson

Wayne Jackson

The DepShield app monitors projects and automatically alerts about security vulnerabilities, according to the company. It is available presently for Apache Maven, with JavaScript and Python compatibility coming later.

DepShield allows users to view a list of known security vulnerabilities within GitHub’s Issue Tracker and then click on an issue to view vulnerability details including CVE and CVSS, the company said. Users can also determine vulnerable version ranges on each given vulnerability, giving them valuable information to determine if their code is affected.

Other open-source management companies, including Black Duck Software and Snyk, also offer similar open source code checker apps.

Read more about:


About the Author(s)

Todd R. Weiss

Todd R. Weiss is an award-winning technology journalist who covers open source and Linux, cloud service providers, cloud computing, virtualization, containers and microservices, mobile devices, security, enterprise applications, enterprise IT, software development and QA, IoT and more. He has worked previously as a staff writer for Computerworld and eWEEK.com, covering a wide variety of IT beats. He spends his spare time working on a book about an unheralded member of the 1957 Milwaukee Braves, watching classic Humphrey Bogart movies and collecting toy taxis from around the world.

Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like