Open Source Software Scanner
Open source software makes up >80% of applications, but it originates outside the organization, created by tens of thousands of third-party authors. In order to understand the open source software used in their software development efforts, organizations need to know:
- Where open source software is sourced from, and whether that source can be trusted.
- How open source software is being used, and whether that usage contravenes licensing requirements, opening the organization to lawsuits.
- Where open source software is deployed, such as in the back office (internally) or externally, where application security becomes a prime consideration.
The ActiveState Platform is a universal package management solution for Python, Perl and Tcl programming languages that provides organizations with the capabilities of an open source software scanner (OSS scanner):
- Understand which open source components are being used by which development teams
- Identify and remediate open source vulnerabilities
- Identify open source software licenses used in each project
As a result, managers can centrally monitor and track open source software usage across their extended enterprise.
Software Bill of Materials
A BOM identifies all the open source packages and dependencies associated with your application, since you can’t manage what you don’t know you have. The BOM is key to identifying at a glance outliers, issues and errors that require further investigation on a per project basis.
The ActiveState Platform provides organizations with the capabilities of an OSS scanner. It delivers a comprehensive list of ingredients required to build your application, including:
- The version of the programming language for the project (Python, Perl and Tcl)
- Open source packages from the language’s ecosystem, as well as their dependencies
- Transitive dependencies (ie., dependencies of dependencies)
- Shared libraries (ie., OpenSSL, which is shared across all the platforms you support)
- Operating system (OS)-level dependencies
- Configurations (ie., metadata like version number, open source license, etc)
- A Common Vulnerabilities and Exposures (CVE) report, showing vulnerabilities for each component\
A typical BOM might look like the following:
The OSS scanner creates a BOM that not only identifies all packages and dependencies, but also acts as a vulnerability scanner to show which ones have CVEs. Links are provided to the National Vulnerability Database that explain each CVE in detail.
Comply with Security Policies
With the escalating number of open source vulnerabilities reported over the past few years, keeping up with open source vulnerabilities has never been more difficult, or more important as cyber attacks also continue to rise. But the Mean Time To Remediate (MTTR) vulnerabilities is often measured in weeks, if not months.
The ActiveState Platform not only builds all dependencies from source code for Windows, Linux and Mac, ensuring developers start with a secure development environment, but also provides organizations with the capabilities of a vulnerability scanner to help maintain security over time. The ActiveState Platform can help you reduce MTTR by providing:
- Status updates when your Python, Perl or Tcl environment is vulnerable, similar to GitHub
- A PDF report showing the severity level and details for each vulnerability
- The ability to fix and automatically rebuild your environment with secure open source components in minutes, speeding remediation
Because the ActiveState Platform tracks multiple versions of all your components, you can remediate vulnerabilities at the OS, package and dependency level by simply selecting a non-vulnerable version. The ActiveState Platform can save considerable time and effort by automatically rebuilding your environment, ready to be pulled into your CI/CD pipeline for testing.
See how the ActiveState Platform acts as a vulnerability scanner and remediation tool in this 2-minute video.
A list of known vulnerabilities can also be generated using the ActiveState Platform’s command line interface (CLI), the State Tool to perform OSS scanning.
Comply with Licensing Policies
Legal teams implement open source licensing policies to ensure against IP infringement and lawsuits. But identifying the licenses associated with every open source component in your application can be difficult, since:
- Without a complete open source software bill of materials, you may miss some open source component and their licenses
- Components may have no stated license, increasing the risk of utilizing them
- Components may contain sub-components that have conflicting licenses, making it difficult to understand whether the overall license complies with your policy
The ActiveState Platform can help you mitigate license risk by acting as an OSS scanner to create a complete bill of materials, and the licenses associated with them. You can use the ActiveState Platform’s API to programmatically retrieve and identify the licenses associated with every open source component in a project’s codebase, allowing you to automate open source license compliance.
For example, running a license API query on our ActivePython project returns:
Ready to see for yourself? You can try the ActiveState Platform by signing up for a free account using your email or GitHub credentials. Or sign up for a free demo and let us show you how you can improve compliance and security without disrupting your development efforts.
Frequently Asked Questions
An open source software scanner, sometimes called an open source compliance scanner or software composition analysis tool, provides organizations with three key reports:
- A software bill of materials for all dependencies
- Open source license(s) per component
- A list of the security vulnerabilities showing the severity level for each open source component
The ActiveState Platform provides all the capabilities of an OSS scan tool for Python, Perl and Tcl projects. Sign up for a free account to try it out, or sign up for a free demo and let us show you how it works.
Open source software scanning (OSS scanning) is a way for organizations to assess the open source they use against three principal criteria:
- License – is the open source component suitably licensed for the organization’s purpose?
- Security – does the open source component contain vulnerabilities that conflict with the organization’s security requirements?
- Industry Standards – does the open source component comply with government and industry standards such as PCI-DSS, SOX, FedRAMP, etc.
The ActiveState Platform can provide organizations with the ability to identify the security status and licensing for all Python, Perl and Tcl open source components. To understand how the ActiveState Platform can help you identify security vulnerabilities, read How To Remediate Your Open Source Vulnerabilities Quicker
A software vulnerability is a defect or bug found in the code of a library, script, API, or similar software construct. The most common vulnerabilities are those associated with open source software, since they affect far more organization than defects found in proprietary code.
The typical open source Common Vulnerabilities and Exposures (CVE) lifecycle looks like:
- Reported by a CVE Numbering Authority (CNA)
- Verified and listed in the US National Vulnerability Database (NVD)
- Patch or new version is issued by the open source author(s)
- Affected organizations patch/update their application
Unfortunately, the CVE reporting and remediation process typically takes weeks to months. The ActiveState Platform can help you shorten your remediation cycle to days. Read How To Remediate Your Open Source Vulnerabilities Quicker to learn more.
Organizations gain multiple benefits from open source scanning, but chief among them are:
- Ensure license compliance in order to mitigate the risk of IP lawsuits
- Ensure security by identifying the number and severity level of vulnerabilities
- Create a software bill of materials in order to identify and track all open source components in their applications
Open source software scanners like the ActiveState Platform can be used for these purposes, while letting every stakeholder in the enterprise monitor the risk associated with the open source in use. Sign up for a free account to try out the ActiveState Platform, or sign up for a free demo and let us show you how it works.