However, over the years, open source components have been growing exponentially – in our database alone, we’re talking today about more than 155 million open source components (both source and binary) in languages such as Java, Ruby, and Python, and another 11 billion open source files in languages such as C/C++, Javascript, PHP, and ObjectiveC. As long as the majority is correct” – truth of the matter is, these false positives are usually only manageable if the total number of open source components used in your products is limited. You may think “a few false positives here and there can happen. These false positives will be flagged by the open source scanning solution, and then be ruled out by the development team. These alerts seemed to have matched snippets, but on a closer look, turned out not to be actually part of an open source component. One of the main challenges that arise when using an open source scanner is the amount of “false positive” alerts which are produced. Pitfall #1: The Never-ending Tale of False Positives We’ve highlighted the 3 main pitfalls of the solution below: Instead of making the process of open source management easier, open source scanners may have brought more challenges.
The 3 Pitfalls of Scanner-Based Open Source License and Security Management Solutions
However, it didn’t take long to realize that open source scanners were born with serious flaws, and that scanning their code base would not be as easy and automated as one had initially believed- it was actually the other way around. Initially, open source scanners seemed to have revolutionized the way organizations were monitoring and managing their open source inventory. Users would be alerted to the similarity in code and would then be required to review each alert individually. In general, these open source scanners were able to scan the code and identify pieces of code (also known as ‘’snippets’’) which would resemble code that appears in open source components.
Soon after, several additional vendors joined the party, including Protecode, Palamida and Open Logic, offering open source code scanners in order to overcome the open source discovery challenge. In order to help organizations during their open source audits, a startup named Black Duck Software introduced the first open source scanning solution back in 2002 which would be able to identify the open source components as well as their underlying licenses which were being included in their products. But in recent years, a visible shift can be seen in the market whereby most open source code scanners have either changed their approach or lost their entire customer base. Up until three years ago, most enterprises wanted to ensure that they are compliant when it comes to their open source usage by running periodic audits with open source scanning tools.
After all, open source nowadays makes up 60-80% of the total code base, underlining the need and value in overseeing and managing your open source inventory from the get-go. Reducing Enterprise Application Security Risks:īut gathering this kind of information manually can become very time-consuming, especially if your organization is using a lot of open source in your products.