2 New Apps Check for Open Source Software Vulnerabilities

As open-source software use by businesses continues to spread, so do the security vulnerabilities that all business must watch for as they conduct their operations around the world.

To fight those vulnerabilities, two vendors – WhiteSource and Sonatype – have released free open-source software vulnerability checker applications that will alert IT administrators to a wide range of known security issues in open-source code.

The WhiteSource Vulnerability Checker is built to detect the 50 most critical open-source vulnerabilities published since July, while Sonatype’s DepShield app lets developers and IT administrators check within their open-source GitHub repositories to look for any components that include known vulnerabilities.

The WhiteSource app is a command-line interface tool that can be downloaded and installed to import and scan any software library to check development projects to see if they include any of the last month’s top 50 open-source vulnerabilities. The Vulnerability Checker compiles a detailed report within minutes after scanning the designated libraries in the command line, highlighting detected vulnerabilities, their severity and paths, as well as links to references and suggested fixes, the company said.

Maya Rotenberg, the company’s vice president of marketing, told Channel Futures that the reports created by the app are provided only to the user and not to WhiteSource or any other entities.

“What we are trying to do with this tool is to increase awareness of the crazy amount of open-source software vulnerabilities reported every month,” said Rotenberg.

Maya Rotenberg

Maya Rotenberg

By using the checker on their code, companies can look to see if they are affected by the latest reported vulnerabilities, she added. WhiteSource provides open source security and license compliance management.

Each month, WhiteSource also publishes a related list of the top five open-source software security vulnerabilities and their dangers and fixes. In its latest post about July vulnerabilities, the company includes warnings and information about issues with the Linux kernel, cURL, Samba, Ansible and libpng. The latest vulnerabilities are collected in the WhiteSource database, which is updated continuously from the National Vulnerability Database (NVD), as well as several additional publicly available, peer-reviewed security advisories and issue trackers, the company said.

The Sonatype DepShield vulnerability checker, which is powered by the company’s OSS Index, a vulnerability monitoring service, integrates directly into GitHub repositories and allows developers to easily identify and avoid using open source components with known vulnerabilities, according to the company.

“The need for more secure coding practices has never been greater,” said Wayne Jackson, Sonatype’s CEO. “Developers live, eat, and breathe in GitHub. While developers find value in GitHub’s native dependency graph, they need – and are demanding – more self-help security.”

By scanning public and private GitHub repositories for users and reporting on the results of the scans, Sonatype is enabling some 28 million developers to add an initial layer of defense to protect themselves and other businesses that use their code, Jackson said.

Wayne Jackson

Wayne Jackson

The DepShield app monitors projects and automatically alerts about security vulnerabilities, according to the company. It is available presently for Apache Maven, with JavaScript and Python compatibility coming later.

DepShield allows users to view a list of known security vulnerabilities within GitHub’s Issue Tracker and then click on an issue to view vulnerability details including CVE and CVSS, the company said. Users can also determine vulnerable version ranges on each given vulnerability, giving them valuable information to determine if their code is affected.

Other open-source management companies, including Black Duck Software and Snyk, also offer similar open source code checker apps.