Open Source Dependency Scanner
Open source dependencies make up the majority of the code in any modern web application, but working with them poses a number of challenges, including:
- Security Awareness – how do you know which dependencies of your open source code are vulnerable? And which are false positives.
- Vulnerability Remediation – how can you resolve vulnerabilities in a timely manner?
- License Compliance – how do you know if all your dependencies feature licenses that are compatible with your corporate guidelines?
Unlike other dependency scanners, the ActiveState Platform’s features and functionality can help ensure security and license compliance for open source software dependencies from the Python, Perl and Tcl ecosystems before you even begin coding:
- Build from Source Code: Know exactly what’s in your code across your entire software development lifecycle (SDLC) from your development environment through CI/CD to production.
- Resolve Vulnerabilities: Find, fix and automatically rebuild vulnerable Python, Perl and Tcl runtime environments for your open source projects.
- Ensure Compliance: Get detailed licensing reports and a Bill of Materials (BoM) for all the dependencies in your code.
Improve application security with a security-first approach that implements DevSecOps best practices by shifting security left without disrupting your developers.
Security-First Dependency Management
The ActiveState Platform is an all-in-one package management and risk management solution for open source languages:
- Development and DevOps teams can improve the security and reduce the complexity of the Python, Perl and Tcl environments they’re using to build their applications.
- Security & Compliance teams can reduce risk with better oversight and maintenance of all open source components.
You need only choose a language and the packages your project requires, and the ActiveState Platform will:
- Pull in and resolve all dependencies, providing your with a complete software BoM, including:
- Transitive dependencies (ie., dependencies of dependencies)
- OS-level dependencies
- Shared dependencies (ie., OpenSSL)
- Environment dependency-checks flag any Common Vulnerabilities and Exposures (CVEs), providing you with severity level for each along with a link to the National Vulnerability Database (NVD) so you can read further details
- Build everything from source code in parallel in just a few minutes
- Package your environment for deployment on Windows, Linux or Mac
Ensure your development process is secure from the first line of code.
Remediate Vulnerabilities Faster
Resolving an open source vulnerability shouldn’t take weeks. With the ActiveState Platform, you can identify and replace vulnerable packages, and then follow the workflow to automatically rebuild your Python, Perl and Tcl environments for Windows, Linux or Mac in minutes.
The ActiveState Platform acts as a single source of truth for your Python, Perl and Tcl environments. Remediate security vulnerabilities once, and secure your development, CI/CD and production environments.
Security Status: Identify the number and severity of CVEs in your projects via web, command line (CLI) or API. New vulnerabilities are flagged every 24 hours.
Security Reports: email-able PDF reports provide details of each vulnerable dependency, allowing you to make every stakeholder in your organization aware.
Vulnerability Remediation: interactive Python, Perl and Tcl environment configurations allow you to find and fix known vulnerabilities by upgrading or downgrading vulnerable components to secure versions.
Unlike other dependency scanners, ActiveState Platform will show you the implications of selecting a new version of a dependency on all the other components of your environment BEFORE you commit to it. Never break your environment again!
Watch this video to learn how to use the ActiveState Platform to remediate vulnerable Python, Perl and Tcl runtime environments by selecting non-vulnerable package versions, and automatically rebuilding your environment, helping to shortcut the lengthy remediation process.
Ensure Open Source License Compliance
Reduce licensing risks by ensuring that developers are only using properly-licensed third-party dependencies. And minimize exposure if things do go wrong. Let ActiveState help you reduce your reliance on software audits.
- Ensure only open source dependencies with approved licenses are available for use in your Python, Perl and Tcl development environments.
- Get access to licensing reports that let Compliance teams know what you plan to distribute or put into production.
- Gain a Bill of Materials view of every open source component included in your application to ensure nothing slips through the cracks.
The ActiveState Platform currently supports the Python, Perl and Tcl ecosystems with more languages (such as Ruby, PHP and node.js) being added soon.
Ready to see for yourself? You can try the ActiveState Platform by signing up for a free account using your email or GitHub credentials. Or sign up for a free demo and let us show you how you can implement secure dependency scanning in your organization.
Frequently Asked Questions
Open source dependency scanners are primarily used to:
- Identify vulnerabilities in packages and dependencies
- Identify open source licenses associated with each package and dependency
- Provide a software bill of materials for your application
There are many different types of dependency scanners available, but only one that will let you remediate the found vulnerabilities and automatically rebuild your Python, Perl and Tcl environments, as well. Sign up for a free account to try the ActiveState Platform for your vulnerability remediation needs.
Open source dependency scanners rely on three tools:
- The National Vulnerability Database (among other sources), which provides dependency vulnerability information.
- A source code scanning tool that identifies open source licenses embedded in the code.
- A software composition analysis tool that identifies all the open source components that comprise an application.
The open source dependency scanner then provides a report that shows:
- Vulnerabilities in packages and dependencies
- Open source licenses associated with each package and dependency
- A software bill of materials for your application
Create a free account on the ActiveState Platform to start exploring how to use it for vulnerability scanning.
A dependency checker (also known as a dependency scanner or software composition analysis tool) is used to identify vulnerabilities in open source software. The checker will typically provide:
- A list of all open source dependencies in your application
- The severity level of each vulnerability
- Links to details about each vulnerability
Knowing which vulnerabilities are in your application is half the battle, but now you’ll need to remediate them. The ActiveState Platform lets you not only identify vulnerabilities but also resolve them, and then will automatically rebuild a secure version of your Python, Perl or Tcl environment. Sign up for a free account and give it a try.
Dependency scanners are typically run either as part of a source code repository (ie., GitHub), or else during the CI/CD process (ie., Black Duck).
- Repository Scanning – dependencies are automatically monitored for vulnerabilities and a notification provided when one is discovered.
- CI/CD Scanning – whenever the CI/CD process is run, an instance of the application is spun up and scanned. Generally, the scan creates a report that must be subsequently examined and investigated.
Vulnerability reports and notifications are only the start of the process. To remediate the vulnerability, consider using the ActiveState Platform, which not only identifies vulnerabilities but also resolves them and automatically rebuilds a secure version of your Python, Perl or Tcl environment. Sign up for a free account and give it a try.