Software teams often focus on detecting potential problems in their own code, but neglect to check for known vulnerabilities in open source components. The risk of open source vulnerabilities is often greater, because the vulnerability information and how to exploit the vulnerabilities are known to everyone. Fortunately, 87% of open source vulnerabilities have been patched, so they are relatively easy to correct. WhiteSource has the most extensive security vulnerability database, collecting vulnerabilities from multiple sources and providing detailed repair information. In the software development life cycle (SDLC), including after the software is released, WhiteSource reminds users in real time to proactively fix all problems in advance
When using open source components, companies need to ensure that all components including transitive dependent libraries are followed. WhiteSource accurately detects all open source licenses, including library licenses, and automatically enforces license policies on newly added components. Users can therefore block unwanted components from entering their software.
WhiteSource also automates the approval process for new open source components, thus improving development efficiency.
Shift Left is the core concept of detecting as many issues as possible early in the software development process. Studies have shown that early detection of security issues can reduce repair costs by 90%.
WhiteSource checks the problematic components when they enter the code or when they are built to ensure that there are no accidents on the day of release. Its Selection Tool helps developers choose the best components during the evaluation phase, thereby improving the overall product quality.
WhiteSource automates the selection, approval, and management process of open source components, including detecting and resolving security and compliance issues. It allows the integration of users' code bases, build tools, CI servers, and application security tools, supporting agile methods and continuous deployment. It also provides transparency for users' security, engineering, DevOps, and legal teams, and controls open source applications.
WhiteSource has its own algorithm to ensure accurate detection without false positives, and is proud of being the most accurate solution on the market. Moreover, WhiteSource has an extremely mature database. Contains more than 3M open source components and 70M source files, covering more than 200 programming languages.
In use, WhiteSource calculates the digital signature of each library and cross-compares it with its extensive database. Therefore, it does not scan or analyze the user code, and completely guarantees the confidentiality of the user code. In short, it doesn't look at your code.
●In your build and code base, automatically detect all open source components, including transitive dependency libraries.
●Detect known vulnerabilities of components in the software development cycle and provide repair suggestions.
●Automatically enforce policies in the software development life cycle, and generate real-time alarms for policy violations. The user can therefore cancel the build or start an approval process.
●The alarm settings include the severity of the vulnerability, license type, serious software defects, new versions, age of components and other aspects.
●Get alerts for the most recently discovered vulnerabilities in historical versions. WhiteSource continuously monitors the latest build of each version.
●According to the last build, one-click to generate detailed inventory, risk, security, legal and due diligence (Due Diligence) reports.
●Automatically generate release management reports for all licensed release and copyright information, saving time and labor before release.
●When developers search for open source components online, select tools (as browser plug-ins) to help provide security, permission, and policy information.
●Users will get a detailed preview of each component, including its vulnerabilities, permissions, and whether the component has been used in your business.
●The selection tool supports all common registrations (MavenCentral, npm, Pypi, etc.) and web pages with package references (StackOverFlow, Tutorials, etc.).
●Wide coverage, support more than 200 languages including containers
●The positioning is accurate, and the algorithm with independent intellectual property rights guarantees no false positives
●Easy to repair, providing proven crowdsourced repair
●Easy to use, policies are automatically implemented at all stages of SDLC, and the approval and tracking process is automated
●Rich vulnerability database, continuously collecting information from NVD, security experts and open source project issue tracking