How To Check Open Source Code For Vulnerabilities

Open source software is an important part of infrastructure. It is becoming easier and easier to download and install open source components. The downside of this convenience is that developers generally do not have the time or resources to manually test the software for vulnerabilities. This paper provides guidelines for organizations that need to identify which open source components are present in their development, deployment, or production environments.

In this course, we will discuss the ten most common security vulnerabilities. Also known as “bugs” or “glitches” in the open source community, these vulnerabilities allow an attacker or hacker to gain access to important files, possibly sensitive ones. Using vulnerabilities for malicious purposes ranges from unauthorized access to applications and servers to reprogramming them to delete or modify data.

Node Security Project (NSP)

The NSP is known for its work on Node.js modules and NPM dependencies. It also provides tools that scan for dependencies and find vulnerabilities using public vulnerability databases such as the NIST National Vulnerability Database (NVD) as well as its own database, which it builds from the scans it does on NPM modules.

Adam Baldwin from the NSP sees a future where dependency security is part of the SDLC: “Soon you will see a number of products from us including continuous security monitoring and integration with GitHub (and other products) so that you can plug in security monitoring, detection, alerting, and remediation for the areas of your development lifecycle that are relevant to you.”

Contrast OSS

Contrast OSS works by installing an intelligent agent that equips the application with smart sensors to analyze code in real time from within the application. This allows the software to automatically discover open source dependencies and provide critical versioning and usage information. 

Alerts are triggered when risks and policy violations are detected anywhere across the SDLC. In production, Contrast monitors, blocks and alerts on attacks targeting open source libraries and components.

Price: Not listed, but it is priced per-application. There is a demo available and you can try the tool with one app for free.

Pros: A cool interface and low false positive reports.

Cons: There is room for improvement in the reporting features as users claim it is not suitable for a high-level view that can be presented to management personnel. In addition, Contrast lacks support for client-side libraries such as jQuery or JavaScript. Contrast is also described by users as difficult to automate as setup differs for each application.


RetireJS is an open-source, JavaScript-specific dependency checker. The project is primarily focused on ease of use. That’s why it has multiple components, including a command-line scanner and plugins for Grunt, Gulp, Chrome, Firefox, ZAP, and Burp. RetireJS also made a site-checking service available to JS developers who want to find out if they’re using a JavaScript library with known vulnerabilities.

RetireJS retrieves its vulnerability information from the NIST NVD as well as a multitude of other sources, including mailing lists, bug-tracking systems, and blogs for popular JavaScript projects. Erlend Oftedal from RetireJS thinks that security is everyone’s problem and more collaboration is needed: “I would like to see authors of popular open-source frameworks themselves start reporting security fixes to tools such as Retire.js in order to keep the users of their software safer.”


Spectral works by finding and mitigating misconfigurations and exposed secrets as soon as they appear in the coding pipeline. The setup process is nearly completely automated with support for over 20 different data sources (e.g. GitHub, GitLab, Npm, etc) and over 200 custom and customizable detectors generated using a programming language agnostic AI and machine learning models.

Price: Spectral does not announce its pricing. You can request a free trial by clicking the “Get Started” button on Spectral’s home page.

Pros: Highly optimized, an average sized repository can take less than a second to scan. Very flexible, scanning logs, code, apps, images and more.

Cons: While Spectral introduces many interesting new features, it is still the new kid on the block and as such, it still has to prove its worth.


OSSIndex supports several technologies. It extracts dependency information from NPM, Nuget, Maven Central Repository, Bower, Chocolatey, and MSI (which means it’s covering the JavaScript, .NET/C#, and Java ecosystems). OSSIndex also provides a vulnerability API for free.

OSSIndex currently retrieves its vulnerability information from the NIST NVD. Ken Duck from OSSIndex plans to include automated importing of vulnerabilities from some key mailing lists, databases, and bug-tracking systems in the near future.


WhiteSource makes it easy to develop secure software without compromising on speed or agility. With native integration into all environments, WhiteSource enforces policies automatically, spotting problems before they surface or remediating as soon as they are detected

WhiteSource promises to reduce up to 85% of security alerts by prioritizing vulnerabilities based on whether your proprietary code is utilizing them.

Price: The annual pricing depends on the number of contributing developers and ranges from $5,460 for a single developer up to $192,400 for 500 developers. A free trial is available.

Pros: The ‘fix suggestions’ feature traces back to where the vulnerability is within your code and offers suggestions on how to fix the issue. The attribution and license due diligence reports satisfy the required software licenses copyright and component usage disclosures.

Cons: The user interface and user experience are not as intuitive as they could be. Some detected libraries do not specify where in the source they were used.


Dependency-check is an open-source command line tool from OWASP that is very well maintained. It can be used in a stand-alone mode as well as in build tools. Dependency-check supports Java, .NET, JavaScript, and Ruby. The tool retrieves its vulnerability information strictly from the NIST NVD.


Snyk is a commercial service that focuses on JavaScript npm dependencies. New to the scene, Snyk is in a league of its own. Not only does it offer tools to detect known vulnerabilities in JavaScript projects, but it also helps users fix these issues using guided upgrades and open-source patches that Snyk creates.

Snyk has its own vulnerability database, which gets its data from the NIST NVD and the NSP. Snyk’s focus is on scaling known vulnerability handling across the entire organization and its teams, with better collaboration tools and tighter GitHub integrations. Snyk’s CEO, Guy Podjarny, indicated that Snyk’s future plans include building runtime tools that will give developers better visibility and control when running open-source packages on production systems.

Sonatype Nexus

Nexus claims to automatically stop risky components from entering your software supply chain by letting you know exactly what components are inside your software applications. It also helps to enforce open source policies across the SDLC and automatically generates a Software Bill of Materials.

Price: Nexus offers multiple products covering different aspects of open source security with annual subscription prices ranging from $120-780 per user and $1,000 per app.

Pros: The vulnerability description clearly shows where the problem is and the software offers an explanation of the vulnerability as well as a recommendation on how to fix the problem. This is especially helpful when there is no possibility to fix the issue by updating the library. The low rate of false positives keeps developers happy and the product features a REST API that can be used for automation.

Cons: Mainly Java centric with support for other languages somewhat lacking. The API is fairly limited, lacking support for the more powerful RESTful API. In addition, users have claimed that the user interface is not very intuitive.


Gemnasium is a commercial tool with free starting plans. Gemnasium has its own database that draws from several sources. However, though the vulnerabilities are reviewed manually on a daily basis, advisories are not automatically published.

Gemnasium provides a unique auto-update feature that uses a special algorithm to test smart combinations of dependency sets instead of testing all the combinations, which saves a bunch of time. Gemnasium supports Ruby, NPM (JavaScript), PHP, Python, and Bower (JavaScript). Another unique offering from Gemnasium is its Slack integration—users are notified through Slack in real time as soon as an advisory is detected.

Philippe Lafoucrière from Gemnasium indicated that future plans include an enterprise version of Gemnasium, running on clients’ premises with more languages supported, starting with Java.

ShiftLeft Scan

ShiftLeft Scan lets you protect custom code with static analysis (SAST), secure open-source libraries (SCA), and employ hard-coded secrets detection and OSS license violation checks. ShiftLeft Scan claims to be built with usability and rapid time-to-value in mind, with one-click deploy marketplace integrations for popular DevOps tools and cloud infrastructure vendors.

Price: As an open source project released under the GPL3 license, ShiftLeft Scan is free to use.

Pros: Privacy! Your code, dependencies, and configuration never leave your builds. All scanners, rules, data and vulnerability databases are downloaded locally.

Cons: It looks like ShiftLeft is shifting away from Scan and no longer providing support for the solution, focusing on their new “NextGen Static Analysis” product instead.


Source Clear is a commercial tool with a couple of interesting attributes. It has its own database, which leverages the NIST NVD, but it also retrieves vulnerability information from mailing lists and several other sources.

It offers a ton of plugins to several IDEs, deployment systems, and source repositories, as well as a command-line interface. Finally, Source Clear is using  “vulnerable methods identification,” which is a way to figure out whether a vulnerability found in a dependency is actually being used by the application. It’s a feature that dramatically reduces false positives and gives developers detailed target reports for the vulnerabilities that matter. Source Clear just announced plans to offer a free version of its software.


Have you ever thought about the number of applications and services that you use every day? Everything from your web browser to the operating system that runs your computer is made up of systems, applications, and libraries that are written by programmers.


No Comment.