Security

Open Source Vulnerability Index Containing 140,000 Vulnerabilities Launched by Sonatype

Sonatype operates on the principles of better, safer, and faster delivery with software supply chain automation. The company acquired the OSS Index last year and has now launched an automated and re-designed Open Source Software Index that provides developers with information on OSS dependencies and vulnerabilities for more informed product development. As explained by the company’s Co-founder and CTO, Brian Fox, this latest release gears up the company’s efforts in providing developers with fundamental resources to ensure that their products are host to strong security systems that can withstand known vulnerabilities as the open source platform can be very unforgiving in this matter. This new launch promises a cleaner interface as well as easy to understand and thoroughly verified information.

Sonatype’s OSS Index derives information from publicly posted and assessed vulnerabilities, hosting 2.6 million packages and details on 140,000 known open source vulnerabilities. It supports 7 languages at launch, subject to support more soon. These languages are: Bower (JavaScript), PHP, Maven/Gradle (Java), npm (Java Script), NuGet, Puthon, RubyGems, and RPM. The Index runs upon a particular format. It displays the namespace which is a descriptive name prefix, the name of the component or package, its version, other type-specific qualifiers such as OS or distro, and subpath within a component relative to the package root. Package URls are written in the “type:namespace/name@version?qualifiers#subpath” syntax and package urls with pkg scheme are written in the “pkg:type/namespace/name@version?qualifiers#subpath” syntax. Such details are kept consistent throughout the OSS Index to ensure that the quality of data presented is maintained.

The index also facilitates easy implementation with its many open source tools, the most prominent being its REST API. Other integrations in the index such as the Maven Enforcer plugin and OWASP Dependency Check make the database an all-round information tool on OSS vulnerabilities. In addition to this, the index allows for toolchain integration with its native extensions and applications. It features an Audit.js integration which audits npm projects and the Index also draws from Sonatype’s own The Central Repository. Other than the platform specific auditing tools provided, DevAudit, an open-source cross-platform multi-purpose security auditing tool, is also available for developers to use.

Close