Re: new security tool question
Not sure if this is close enough Dirk: https://snyk.io/vuln/
GM & Global Open Source Practice Leader
From: Dirk Riehle <dirk@...>
Sent: Monday, August 20, 2018 1:28 AM
To: Armijn Hemel - Tjaldur Software Governance Solutions
Cc: Shane Coughlan; Andrew Aitken (Service Transformation); openchain@...
Subject: Re: [OpenChain] new security tool question
** This mail has been sent from an external source. Treat hyperlinks and attachments in this email with caution**
I didn't want to answer, because I also hadn't tried it yet.l, but:
The Techcrunch article is rather confusing, the website announcement then is clear: The tool reviews existing or newly to be introduced dependencies on open source components and flags those, for which vulnerabilities are known.
If you want help fixing them, you need to buy the commercial version so this tool is straight from the upsell playbook.
I looked at libraries.io and it doesn't say anything about a vulnerabilities database. Is there any?
For us, building tools based on such databases, a free and integrated / consolidated vulnerabilities database would be a boon.
Does anyone of any effort here?
Admittedly, this is a core commercial piece of Sonatypes and Black Ducks offerings.
On Mon, Aug 20, 2018, 15:08 Armijn Hemel - Tjaldur Software Governance Solutions <armijn@...> wrote: