Re: new security tool question


Andrew Aitken
 

Not sure if this is close enough Dirk: https://snyk.io/vuln/



Regards,


Andrew Aitken

GM & Global Open Source Practice Leader

Wipro Technologies

650-704-6321


1494361338303_PastedImage




From: Dirk Riehle <dirk@...>
Sent: Monday, August 20, 2018 1:28 AM
To: Armijn Hemel - Tjaldur Software Governance Solutions
Cc: Shane Coughlan; Andrew Aitken (Service Transformation); openchain@...
Subject: Re: [OpenChain] new security tool question
 

** This mail has been sent from an external source. Treat hyperlinks and attachments in this email with caution**

I didn't want to answer, because I also hadn't tried it yet.l, but:

The Techcrunch article is rather confusing, the website announcement then is clear: The tool reviews existing or newly to be introduced dependencies on open source components and flags those, for which vulnerabilities are known. 

If you want help fixing them, you need to buy the commercial version so this tool is straight from the upsell playbook.

I looked at libraries.io and it doesn't say anything about a vulnerabilities database. Is there any?

For us, building tools based on such databases, a free and integrated /  consolidated vulnerabilities database would be a boon.

Does anyone of any effort here?

Admittedly, this is a core commercial piece of Sonatypes and Black Ducks offerings.

Thanks!
Dirk

On Mon, Aug 20, 2018, 15:08 Armijn Hemel - Tjaldur Software Governance Solutions <armijn@...> wrote:
hello,

I personally have not tried it, so I cannot comment. It would be
interesting to see how it compares to for example Tidelift (which
leverages the libraries.io data).

armijn

> Hi Andrew!
>
> Looping Armijn (Tjaldur) and Michael (Siemens) into this thread.
>
> Regards
>
> Shane
>
>> On Aug 15, 2018, at 23:36 , andrew.aitken@... wrote:
>>
>> Hello, I know this is a new tool but wondering if anyone has tried it yet?
>>
>> Sonatype offers developers free security scan tool on GitHub: https://techcrunch.com/2018/08/14/sonatype-now-offers-free-open-source-vulnerability-scans-to-github-users/
>>
>>
>> Regards,
>>
>> Andrew Aitken
>> GM & Global Open Source Practice Leader
>> m: 650-704-6321, in/opensourcestrategy/
>> Wipro Limited
>>
>>
>>
>>
>>
>> The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com


--
Armijn Hemel, MSc
Tjaldur Software Governance Solutions

_______________________________________________
OpenChain mailing list
OpenChain@...
https://lists.linuxfoundation.org/mailman/listinfo/openchain
The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com

Join main@lists.openchainproject.org to automatically receive all group messages.