Have you ever used a tool to find open source vulnerabilities in your software, only to find whole components and all of their matching CVEs as the result? With the VulnSnippetFinder from FOSSID you find the actual lines of code that introduce vulnerabilities, regardless if you are scanning open source or even proprietary code!
The FOSSID VulnSnippetFinder
At its best, vulnerability detection tools identify open source components and correlate them to known vulnerability lists from public repositories (most commonly the “National Vulnerability Database”, NVD).
Oftentimes, though, the vulnerabilities only relate to a few files or even a couple of lines of code within a whole component, and with traditional tools you stand the risk of being overwhelmed by unprecise vulnerability lists and false positives.
This is where FOSSID’s vulnerability snippet finder, or “VulnSnippetFinder”, comes in. The VulnSnippet Finder is a market first, and a revolutionary new tool that detects the actual lines of code (snippets) that introduce the vulnerabilities. And it does so regardless of if it scans known or unknown open source components, or even proprietary code.
Traditional Security Scanning
- Assumes vulnerabilities based on component/ version
- Assumes the identified version for a component is correct. This is not always true and it can result in an incorrect set of vulnerabilities being reported.
- Assumes entire components are used. Though sometimes only some parts (files or even snippets) of open source components are used.
- Flags any file that matches a known vulnerable component (false positives)
FOSSID VulnSnippet Finder
- Detects the actual lines of code (snippets) that introduce the vulnerabilities
- Removes common human errors such as selecting the incorrect component or version for an open source match
- Finds matches inside known or unknown open source components as well as proprietary code.
- Reduces the amount of false positives
- Detects known vulnerabilities in derivatives and forks
Designed for Continuous Integration
The VulnSnippet Finder is an add-on to the patented FOSSID scan engine and open source knowledge base and can be used via FOSSID’s Command Line Interface (CLI).
It only requires one single command to find matches to vulnerable snippets, and the matches are reported in JSON format together with information of the vulnerability.