Identifying Open Source Security Vulnerabilities

In product development, we do use several open-source software (OSS) to build rich user interfaces, and leverage functionalities available in Open Source. We do use multiple versions of the same Open source. 

  • Have we ever been concerned about the open-source versions that are reliable?
  • How many security vulnerabilities are within the open-source?
  • Whether the license used is compliant?

We were more focused on the features that are present in Open source rather than the security vulnerabilities present in the tools over the period.

With Azure DevOps integrating with WhiteSource, OSS used in product development can be identified with versioning, and security issues can be identified in the CI/CD pipeline during the build.

To identify OSS security issues, ADO has to be integrated with the WhiteSource Bolt extension available in the Azure marketplace. Once the extension is installed at the ADO organization level, all projects within the organization can leverage WhiteSource scanning for OSS.

Open your existing CI/CD pipeline interface or YAML file, add a task to scan OSS by using the WhiteSource bolt function. 

task: WhiteSource Bolt@20
    advance: true

The above lines of code in the YAML file will enable Whitesource report in pipeline execution and you can view,

  • OSS inventory
  • License compliance
  • outdated libraries used
  • List of security issues in OSS

Identifying Open Source Security Vulnerabilities