Contents:

 

Related pages:

 

Introduction

 

Today’s time-to-market imposes high pressure on releasing new versions of your application. Productivity becomes essential. And most of the times, you will incorporate external open source components that let you build new functionality very fast and with the minimum effort.

Open Source repositories provides huge amounts of software that lets you build new applications very fast and robustly.

But not all are benefits; there might be also some drawbacks when using open source components.

First obvious question has to do with how much open source software is your application using.

 

Do you have a complete components inventory with all the 3rd party components being used by your software?

If you are a developer you most probably know the answer to this question. But if you are in a position closer to management, it’s likely that you don’t know the answer.

Modern applications, in most of the cases, are using open source components and yours will not be an exception. And, although the benefits are clear, you might be thinking of some inherent risks .

 

Do you know the degree of security breaches introduced by using those 3rd party components?

You most probably are dedicating a lot of effort to remediate security vulnerabilities in your software, but those efforts are useless if 3rd components are vulnerable.  As you know, any security vulnerability makes the whole application vulnerable.

 

Are those components obsolete? You might be using “outdated” components or, even worse, “dead” components..

What if you are using old versions of those components? Old versions might be introducing security breaches or bugs that are solved in newer versions.

Or even worse, what would happen if those buggy components are dead, i.e.  are not being evolved?

 

Are you aware of legal licensing implications of using those 3rd party components?

There are many 3rd party components that are “Copyleft” licensed.

In a broad sense, these kind of licenses mean that, although you are allowed to use that software in your application, once you have included them in your application, the whole application becomes “Copyleft” licensed, i.e. you are implicitly giving every person who receives a copy of your software permissions to reproduce, adapt, or distribute it. 

Is this your intention? If not, you should identify all Copyleft components you are using in your application and act accordingly.

 

These, and probably others, are common questions when using 3rd party components.

Kiuwan Insights comes to answer all these questions by providing:

  1. a complete Components Inventory of 3rd party software used by your applications, and
  2. detailed information on SecurityObsolescence and Licensing Risks of those components

 

Components Inventory

If you are a developer, you most probably will access to build systems where external components are “identified”.

But, are those 3rd party components part of a “controlled” inventory? Most probably, don’t.

Kiuwan Insight analyzes your application software, discovering all external dependencies, and builds a Components Inventory that lets you track of any external piece of code that could be part of your application.

 

Supported languages and resources

Kiuwan Insights uses the following resources to extract information on 3rd party dependencies.

Supported languagesSupported repositoriesSupported build systemsRepositories UsedDatabase Vulnerabilities UsedLicenses extract from
Java
  • Maven
  • Gradle
  • Ant (*.xml files)
  • Maven (pom.xml files)
  • Gradle (*.gradle files)
  • *.jar, *.war, *.ear files

Maven (central or others configured in settings.xml or pom.xml files):

https://repo.maven.apache.org/maven2/

  • pom.xml
  • License file into jar file.
Javascript
  • Npm
  • Bower
  • Npm (package.json files)
  • Bower (bower.json files)
  • Yarn (package.json files)
Npm: https://www.npmjs.com/
  • NPM Rest services.
.Net
  • Nuget
  • Nuget (*.csproj, project.json, global.json, *.vbproj files)
Nuget: https://www.nuget.org/
  • Nuget Rest services.
Python
  • PyPI
  • GitHub
  • PyPI (setup.py files)
  • Requirements (txt file with declared dependencies)
PyPI: https://pypi.org/
  • PyPI Rest services
Scala
  • Maven

  • SBT (build.sbt)

Maven (central or others configured in settings.xml or pom.xml files):

https://repo.maven.apache.org/maven2/

  • pom.xml.
Swift
  • Cocoapods
  • GitHub
  • Podspec (*.podspec, Podfile.lock files)
  • Package (Package.swift files)

Repository Podspec in Github:

https://github.com/CocoaPods/Specs

  • podspec.json of component.
Php
  • Packagist
  • Composer (composer.json, composer.lock files)
Packagist: https://packagist.org/
  • Packagist Rest services.
Ruby
  • RubyGems
  • Gemfile, Gemfile.lock and *.gemspec files
RubyGems: https://rubygems.org/
  • License and obsolescence pending
Kotlin
  • Maven
  • Gradle
  • Ant
  • Ant (*.xml files)
  • Maven (pom.xml files)
  • Gradle (*.gradle and *.gradle.kts files)

Maven (central or others configured in settings.xml or pom.xml files):

https://repo.maven.apache.org/maven2/

  • Maven services

Database vulnerabilities

NVD: https://nvd.nist.gov/

 

 

From these sources, Kiuwan Insight builds the Components Inventory of your application.

You can add your specific private (local or remote) and/or public repos by properly configuring Kiuwan Local Analyzer.

Please visit Insights - Additional Maven repositories for further info)

 

Components Inventory is available at  Insights >> Components tab.

 

 

Security, Obsolescence and Licensing

At a glance, Kiuwan Insights provides detailed information and visual indicators that quickly let you to know the different levels of risk associated to every external component.

Every component is assigned a level (High, Medium, Low or None) on three different risk metrics:

 

Security information is available at Insights >> Security tab.


Obsolescence information is available at Insights >> Obsolescence  tab.


Licensing information is available at Insights >> Licenses tab.