WhiteSource, an open source security and license compliance management solution provider, has launched Vulnerability Checker; a new, free and standalone CLI tool that provides alerts on critical open source vulnerabilities.
Vulnerability Checker is available to download as a desktop application directly from the WhiteSource website, and offers users the opportunity to import and scan any library, and also to run a check on a chosen development project against last month's top fifty vulnerabilities. The Vulnerability Checker provides an alert if any open source component within the scanned library contains one or more of the top new open source security vulnerabilities enumerated in the previous month's report.
Every month, open source community contributors and researchers publish dozens of new security vulnerabilities found in open source projects. In its 'Top Open Source Vulnerabilities of the Month' report, the WhiteSource research team outlines the vulnerabilities most impactful to users over the course of the past month to help promote and facilitate proper open source security and compliance. WhiteSource's new Vulnerability Checker syncs with its research team's monthly reports, and detects all open source components in users' projects, providing an immediate alert if any of the month's top new vulnerabilities are detected.
InfoQ asked Rami Sass, co-founder and CEO of WhiteSource for more details on the new tool:
InfoQ: How does WhiteSource prioritise the vulnerabilities to decide on the top fifty?
Rami Sass: It prioritises all open source vulnerabilities based on CVSS score (vulnerability severity), and the available/recommended fixes according to the open source communities. The top fifty open source vulnerabilities are chosen by our research team based on their impact on our user base of over five-hundred organisations of all sizes and all verticals.
We count the number of occurrences of each vulnerability and rate it based on the number of projects now turned to vulnerable.
InfoQ: What does 'real-time' mean in this context?
Sass: The application will provide the user with information within minutes regarding which vulnerabilities they have in their products. The information is up to date based on all vulnerabilities reported from July 1st to July 31st and includes all the patches available until the day before the release (August 8th). Going forward, the information will update every month to provide users with the most accurate vulnerabilities based on the top fifty vulnerabilities from the previous calendar month.
InfoQ: Does WhiteSource provide services outside of Open Source vulnerability scanning?
Sass: Yes, we help development teams secure and manage the open source components in their software. In addition to open source vulnerability detection and remediation, WhiteSource automates the entire process of open source components selection, approval, tracking and automates the entire process of open source compliance.
InfoQ: Does WhiteSource integrate with any source control or CI tools or other parts of the DevOps toolchain?
Sass: The full WhiteSource solution, not the free tool, integrates with all development tools throughout the software development lifecycle (SDLC) from repositories, build tools, package managers, CI servers and even issue trackers.
We have plugins that integrate with all common developer tools, and every time you run your build or do a commit, our plugins calculate a digital signature and then cross-reference it with our database to detect all open source components, including all dependencies. Once a component is detected we pull all relevant information regarding its security, quality, and licenses.
InfoQ; What does the alert look like? How much detail is provided to the user of the tool about the nature of the problem and the steps to remediate?
Sass: After completing a scan of the user's requested libraries, the Vulnerability Checker shows all vulnerabilities detected in the software and the path, indicating which library includes which vulnerability. We also show the CVSS 3.0 score, provide links to references and even supply the suggested fix per the open source community.
In the WhiteSource full platform we further provide information regarding whether you are actually making calls to the vulnerable functionality and a full trace analysis to provide insights for faster and quicker remediation for all known vulnerabilities (not just the top fifty from the previous month).
WhiteSource automates the entire process of open source components management from the selection process, through the approval process and finding and fixing vulnerabilities in real-time. It is a SaaS offering priced annually per contributing developers, meaning the number of developers working on the relevant applications. We offer our full platform services free of charge for open source projects.
InfoQ: Who is a typical user?
Sass: This free tool was designed for developers, DevOps teams and security professionals, but can also be used by anyone with a code library that wants to check if their library contains any of the month's top fifty vulnerabilities.
InfoQ: Can you tell us more about the WhiteSource research team?
Sass: The WhiteSource team is a great believer in the open source community. We believe the community is doing a great job securing and managing open source projects, especially over the past two years as awareness around the security of open source is on the rise, as evidenced by the fact that the number of Common Vulnerability and Exposures (CVEs) more than doubled in 2017.
The problem starts with the way open source security information is scattered across many databases, and the majority are not indexed properly so the information is not available to users. This is the focus of our research team. Our research team is comprised of eighteen researchers and data analysts split between Israel and Boston.
The teams focus on finding new resources for open source security information, indexing these sources, enriching the data and then validating it. We develop proprietary algorithms for aggregating information and scoring it automatically, but each vulnerability is validated manually by our research team to meet our promise to our customers of zero false positives.
The WhiteSource Vulnerability Checker is available for download here.