Open Source Software Scanner
- Where open source software is sourced from, and whether that source can be trusted.
- How open source software is being used, and whether that usage contravenes licensing requirements, opening the organization to lawsuits.
- Where open source software is deployed, such as in the back office (internally) or externally, where application security becomes a prime consideration.
The ActiveState Platform is a universal package management solution for Python, Perl and Tcl programming languages that provides organizations with the capabilities of an open source software scanner (OSS scanner):
- Understand which open source components are being used by which development teams
- Identify and remediate open source vulnerabilities
- Identify open source software licenses used in each project
As a result, managers can centrally monitor and track open source software usage across their extended enterprise.
Software Bill of Materials
A BOM identifies all the open source packages and dependencies associated with your application, since you can’t manage what you don’t know you have. The BOM is key to identifying at a glance outliers, issues and errors that require further investigation on a per project basis.
The ActiveState Platform provides organizations with the capabilities of an OSS scanner. It delivers a comprehensive list of ingredients required to build your application, including:
- The version of the programming language for the project (Python, Perl and Tcl)
- Open source packages from the language’s ecosystem, as well as their dependencies
- Transitive dependencies (ie., dependencies of dependencies)
- Shared libraries (ie., OpenSSL, which is shared across all the platforms you support)
- Operating system (OS)-level dependencies
- Configurations (ie., metadata like version number, open source license, etc)
- A Common Vulnerabilities and Exposures (CVE) report, showing vulnerabilities for each component\
A typical BOM might look like the following:
The OSS scanner creates a BOM that not only identifies all packages and dependencies, but also acts as a vulnerability scanner to show which ones have CVEs. Links are provided to the National Vulnerability Database that explain each CVE in detail.
Comply with Security Policies
With the escalating number of open source vulnerabilities reported over the past few years, keeping up with open source vulnerabilities has never been more difficult, or more important as cyber attacks also continue to rise. But the Mean Time To Remediate (MTTR) vulnerabilities is often measured in weeks, if not months.
The ActiveState Platform not only builds all dependencies from source code for Windows, Linux and Mac, ensuring developers start with a secure development environment, but also provides organizations with the capabilities of a vulnerability scanner to help maintain security over time. The ActiveState Platform can help you reduce MTTR by providing:
- Status updates when your Python, Perl or Tcl environment is vulnerable, similar to GitHub
- A PDF report showing the severity level and details for each vulnerability
- The ability to fix and automatically rebuild your environment with secure open source components in minutes, speeding remediation
Because the ActiveState Platform tracks multiple versions of all your components, you can remediate vulnerabilities at the OS, package and dependency level by simply selecting a non-vulnerable version. The ActiveState Platform can save considerable time and effort by automatically rebuilding your environment, ready to be pulled into your CI/CD pipeline for testing.
See how the ActiveState Platform acts as a vulnerability scanner and remediation tool in this 2-minute video.
A list of known vulnerabilities can also be generated using the ActiveState Platform’s command line interface (CLI), the State Tool to perform OSS scanning.
Comply with Licensing Policies
Legal teams implement open source licensing policies to ensure against IP infringement and lawsuits. But identifying the licenses associated with every open source component in your application can be difficult, since:
- Without a complete open source software bill of materials, you may miss some open source component and their licenses
- Components may have no stated license, increasing the risk of utilizing them
- Components may contain sub-components that have conflicting licenses, making it difficult to understand whether the overall license complies with your policy
The ActiveState Platform can help you mitigate license risk by acting as an OSS scanner to create a complete bill of materials, and the licenses associated with them. You can use the ActiveState Platform’s API to programmatically retrieve and identify the licenses associated with every open source component in a project’s codebase, allowing you to automate open source license compliance.
For example, running a license API query on our ActivePython project returns:
Ready to see for yourself? You can try the ActiveState Platform by signing up for a free account using your email or GitHub credentials. Or sign up for a free demo and let us show you how you can improve compliance and security without disrupting your development efforts.
Frequently Asked Questions
What is open source software scanning (OSS scan)?
- A software bill of materials for all dependencies
- Open source license(s) per component
- A list of the security vulnerabilities showing the severity level for each open source component
The ActiveState Platform provides all the capabilities of an OSS scan tool for Python, Perl and Tcl projects. Sign up for a free account to try it out, or sign up for a free demo and let us show you how it works.
What is Open Source Scanning?
- License – is the open source component suitably licensed for the organization’s purpose?
- Security – does the open source component contain vulnerabilities that conflict with the organization’s security requirements?
- Industry Standards – does the open source component comply with government and industry standards such as PCI-DSS, SOX, FedRAMP, etc.
The ActiveState Platform can provide organizations with the ability to identify the security status and licensing for all Python, Perl and Tcl open source components. To understand how the ActiveState Platform can help you identify security vulnerabilities, read How To Remediate Your Open Source Vulnerabilities Quicker
What is a Vulnerability?
The typical open source Common Vulnerabilities and Exposures (CVE) lifecycle looks like:
- Reported by a CVE Numbering Authority (CNA)
- Verified and listed in the US National Vulnerability Database (NVD)
- Patch or new version is issued by the open source author(s)
- Affected organizations patch/update their application
Unfortunately, the CVE reporting and remediation process typically takes weeks to months. The ActiveState Platform can help you shorten your remediation cycle to days. Read How To Remediate Your Open Source Vulnerabilities Quicker to learn more.
What are the benefits of open source scanning?
- Ensure license compliance in order to mitigate the risk of IP lawsuits
- Ensure security by identifying the number and severity level of vulnerabilities
- Create a software bill of materials in order to identify and track all open source components in their applications
Open source software scanners like the ActiveState Platform can be used for these purposes, while letting every stakeholder in the enterprise monitor the risk associated with the open source in use. Sign up for a free account to try out the ActiveState Platform, or sign up for a free demo and let us show you how it works.