Sonatype DepShield Helps You to Identify Open Source Security Vulnerabilities

By on August 22, 2018
Pin It

Incorporating outside code into the mix can potentially introduce new security vulnerabilities. Sonatype has launched a free service called DepShield that can automatically identify vulnerable open-source components.

The offering is available as an embedded tool for GitHub, the industry’s go-to code hosting service and the home of most of the world’s open-source projects. DepShield draws on Sonatype’s OSS Index database of software security vulnerabilities to detect issues. The startup aggregates data from public threat intelligence sources such as the CVE system, which is funded by the U.S. Department of Homeland Security.

Sonatype DepShield features and benefits include:

  • Continuously monitors projects and auto-creates issues for security vulnerabilities
  • Available for Apache Maven today with JavaScript and Python coming soon
  • Ability to view a list of known security vulnerabilities within GitHub’s Issue Tracker and click on an issue to view vulnerability details including CVE and CVSS
  • Determine vulnerable version ranges on each given vulnerability
  • Available for free, serving both private and public GitHub repositories

When a developer incorporates a new open-source component into a project, DeepShield can automatically flag any issues that the project may contain. DepShield also displays what specific versions of an open-source project contain a given vulnerability to ease remediation.

For further information you can visit Sonatype’s website.

About Luca Ruggeri

Leave a Reply

Your email address will not be published. Required fields are marked *