Open Source Vulnerability Scanning: Methods and Top 5 Tools
Learn how open source vulnerability scanning works and discover tools that can help you identify and remediate vulnerabilities in OSS components and containers.
What Is Open Source Vulnerability Scanning?
Open source vulnerability scanners, often used as part of Software Composition Analysis (SCA) tools, are used to detect open source components used in software projects, and check if they contain unpatched security vulnerabilities, and help organizations remediate them. These tools scan complex dependency trees, because vulnerabilities can be found in a dependent library used by the main component or brought into an application during the build phase.
These vulnerability scanners match open source components against public and proprietary vulnerability databases to establish a risk profile and can help fix these risks through patches or other recommended fixes.
In this article, you will learn:
The Importance of Security for Open Source Components
In today’s development environment, open source software is an integral part of most applications. Open source lets developers do more in less time by reusing existing code and building on successful community-driven innovation. But this can also introduce new vulnerabilities and risks which affect the entire software project.
Open source components are often considered to be more vulnerable to attacks than proprietary code for several reasons:
- Distributed development and uneven standards—open source software is developed by many developers in different locations with varying levels of coding and security expertise. It is much easier to keep track of and manage code developed internally at an organization, and make sure it follows policies and standards. In an open source project, it is more difficult to enforce strict quality and security standards and, in addition, the code is open and readily available to attackers.
- Evolving risks—even if software is tested and no open source vulnerabilities are detected, new vulnerabilities may be discovered at some point in the future which affect a component version previously thought to be secure. Additionally, while one version of a component may be secure, a new version may introduce new vulnerabilities.
- Zero-day vulnerabilities—because open source code is open to everyone, both malicious actors and open source developers may discover vulnerabilities. Until a patch is available and actually deployed by the component’s users, those vulnerabilities can be exploited by attackers.
How Does an Open Source Vulnerability Scanner Work?
While each open source vulnerability scanner uses different technology, we can identify a three-stage process that most scanners go through:
1. Scanning open source components
The scanner reviews all open source components in the software project, often by analyzing code repositories, package managers, and build tools. It establishes an inventory of open source components and dependencies (open source bill of materials) and identifies relevant metadata, including the origin, license, and version.
2. Verifying license compliance
Most vulnerability scanners can identify software licenses of open source components and verify if they conflict with organizational policies. For example, certain open source licenses may be risky to use in commercial projects, expose valuable intellectual property, or have legal implications for the entire software development project. Scanners can alert about problematic licenses, both of the main open source components used and their dependencies.
3. Identifying vulnerabilities
Vulnerability scanners take the results and check them against one or more databases containing information about vulnerabilities, including Common Vulnerabilities and Exposures (CVE) databases which are a standardized list of vulnerabilities known to security researchers, and proprietary security research databases. Finally, they alert the user about the vulnerabilities found and suggest a path for remediation.
Top 5 Open Source Vulnerability Scanning Tools
Below are several open source tools that are commonly used to scan and remediate vulnerabilities in open source components and containers.
Trivy
Trivy is an open source tool that detects vulnerabilities, such as CVEs, in open source software, and provides a brief explanation of risk so developers can decide which components they want to use in their applications and containers.
While container security protocols commonly involve a static image scan for vulnerabilities, this usually occurs after code editing has finished. Trivy goes further, by seamlessly merging vulnerability scanning into the Integrated Development Environment (IDE).
Beyond the IDE, Trivy enters container registries and the endpoint of the CI pipeline, as the first scanner with a plug-in adapter for the Harbor registry, chosen as the default scanner from Harbor version 2.0 onwards.
Open source contributors have also been working to create integrations and add-ons for Trivy, such as a Prometheus exporter for extracting vulnerability metrics, and a Helm chart for installing Trivy into a Kubernetes cluster.
Clair
Clair can be used to monitor container security. It is an API-based analyzer that lets you check whether there are known security vulnerabilities for each container layer. Clair makes it easy to create a service that can continuously monitor containers for security vulnerabilities.
Main features:
- Vulnerability metadata regularly collected from multiple sources
- Indexes container images and provides an API you can use to retrieve features found in the image
- Provides an API you can use to query vulnerabilities in a specific container images
- Alerts when vulnerability metadata is updated, able to find new vulnerabilities in a previously scanned image
Anchore
Anchore Engine is an open source Docker container policy compliance and static analysis tool. It automatically performs image inspection, analysis, and evaluation of container content. Finally, it provides a policy evaluation for each image—whether it passes or fails organizational requirements.
Main features:
- Analyze the contents of the container image to find hidden vulnerabilities.
- Finds known vulnerabilities and ensures that the image follows security standards and industry best practices.
- Integrates with container registries and CI/CD tools.
sqlmap
sqlmap is a penetration testing tool that can automatically detect and evaluate vulnerabilities. It can go beyond finding security issues, and can also attempt to exploit them and report on the results.
Main features:
- Developed in Python, supports any operating system with a Python interpreter.
- Auto-recognition for password hashes
- Able to exploit SQL injection vulnerabilities using six different methods
- Wide database support including MySQL, Oracle, PostgreSQL, Access, SQL Server
Wapiti
Wapiti is a CLI utility you can use to scan web applications to identify vulnerabilities, and prove they are real, exploitable issues. It detects many common vulnerabilities including XSS, file disclosure/inclusion, and carriage return line feed (CRLF) injection.
Main features:
- Supports HTTP/S and SOCK5
- Can be activated via GET or POST
- Attack modules easy to enable or disable
- Configurable level of alert detail, with several report formats
- Able to identify vulnerabilities in HTML5
Code Scanning Tools on the GitHub Marketplace
The GitHub Marketplace provides a wealth of tools you can use to test code for vulnerabilities, directly in your development environment. Here are three open source options.
VisualCodeGrepper
VisualCodeGrepper is a source code analysis tool supporting C, C++, C#, VB, PHP, Java, PL/SQL, and COBOL. It tries to find phrases in comments that can indicate broken code, provides visibility into issues and assists remediation.
Main features include:
- Charts and visualizations showing code, whitespace, comments, and bad code across the entire codebase
- Lists errors, security flaws, comments, and potentially unsafe code
- Enables the user to specifically test bad functions with a config file for each language
- Searches for a dictionary of phrases within comments that indicate broken code
- Finds indications of buffer overflows and signed/unsigned comparisons
Brakeman
Brakeman is an open source code vulnerability scanner for Ruby on Rails. It is a static code analyzer that scans source code and produces a detailed report of security issues.
Main features include:
- No configuration or prior setup required
- Can be used at any stage of the development process
- Flexible testing, each check performed is independent
- Executes much faster than “black box”, scans large applications within minutes
Bandit
Bandit is an open source tool that scans for common security issues in Python, and creates a detailed report of possible security bugs.
Main features include:
- Convenient CLI commands to scan python code
- Supports CSV, HTML or JSON output
- Supports incremental scans – using a baseline report to ignore known vulnerabilities
- Integrates with version control and can be used before commit
- Extensible, lets users write extensions for special checks and formatters