Open Source License Detection and Expanded Git Repo Scanning

Apr 29, 2021
4 minutes
168 views

A March 2021 report by Forrester, The State Of Application Security, 2021, showed that almost 99% of codebases it audited contained open source components. Further, as of 2019, the average codebase of those audited was 70% open source components. These open source libraries speed up development by relying on code contributed and vetted by the community. However, developers need to understand the licensing and security of these dependencies to provide proper attribution, use, and security.

With the latest release for Prisma Cloud, we have extended our platform with two new capabilities for advanced licensing detection and software composition analysis (SCA) via our command line interface tool, twistcli. These features provide developers and compliance teams the capability to understand the impact that licenses may have on application dependencies. Additionally, we have extended our SCA capabilities to let developers run scans locally or in custom environments, such as Jenkins. Meanwhile, security teams can view the legal requirements for a given license and understand potential effects on security posture in a single place.

 

Understanding Open Source License Compliance

Licensing for open source products is highly nuanced, which can make it difficult to understand. Some, such as "copyleft" licenses, require the release of source code, which is incompatible with many enterprise policies. Others, such as MIT, are less restrictive, but require attribution. SCA then is the capability to identify open source components used by a software service, for the purposes of security and compliance.

Prisma Cloud allows developers to identify open source packages in their services, the vulnerabilities and compliance violations within those packages, and helps identify packages that need to be updated. It's all achieved using plugins with developer tools such as interactive development environments (IDE) or continuous integration (CI) and source code management (SCM) tools.

 

Advanced Open Source License Detection in Prisma Cloud

With the launch of our advanced license detection capability, developers can use twistcli in combination with plugins for continuous integration (CI) and source code management (SCM) tools to scan their Node.js, Python, Java and, with the latest release, Go-based applications. Scans can be kicked off locally on-demand during development, or at regular intervals in pipelines and repositories.

Result of CI scan of open source packages with licenses
Result of CI scan of open source packages with licenses.

The result is clear visibility of the licenses in use. Understanding which licenses helps ensure proper use and attribution to avoid potential legal issues. Additionally, application scan results are sent to Prisma Cloud, where security and risk teams gain broad visibility of the licenses in use across their environments. There they can use controls to alert or block dependencies that contain certain licenses that don’t meet internal compliance requirements.

 

Customizable license alerting thresholds
Customizable license alerting thresholds.

Extending Software Composition Analysis Coverage

In addition to licensing, this release extends the ways you can leverage existing SCA capabilities. Previously, our SCA capabilities only supported GitHub, however twistcli can now scan for vulnerabilities in dependencies in both git-based and non-git-based environments.

This capability shifts scanning activity further left, by letting developers run their scans locally or in the CI or SCM environment of their choice. Now developers won’t be surprised by security reviews, because they are empowered to find vulnerabilities in their own development environments.

 

Twistcli used to scan a private registry for vulnerabilities and compliance.
Twistcli used to scan a private registry for vulnerabilities and compliance.

Just like the advanced licensing feature, all results show up in our UI. Central security teams can enforce guardrails and track the posture of codebases over time, providing developers earlier feedback, and increasing the likelihood of patching.

 

Central view of CI builds with their vulnerabilities.
Central view of CI builds with their vulnerabilities.

 

Adding guardrails to block critically vulnerable packages with vendor fixes
Adding guardrails to block critically vulnerable packages with vendor fixes.

 

Empowering Developers With Security Capabilities

Both of these features help users improve their security and risk posture with the least amount of friction.

Developers can continue using their existing environments while gaining better insights into the licenses and vulnerabilities of open source packages. Security teams scale their efforts by providing automated feedback to the developers.

For the vulnerabilities that may still make it into production, Prisma Cloud defenders still protect your application from exploits. We cover your security from left to right, build time to runtime.

For more information about this and other recent features, check out our announcement blog.


Subscribe to Cloud Native Security Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.