Resources Blog The Rise of Dependency Scanners

The Rise of Dependency Scanners

2018 has seen a new breed of dependency scanners come onto the scene. These 'manifest' driven scanners allow for their inclusion into source code control systems like Github and we're seeing them in IDE's as well. The scanner inspects a pom.xml or a package.json, calculate the dependency tree and then reports on any vulnerabilities known to the dataset behind that scanner. We, at Sonatype, couldn't have been happier to see this new trend, as it completely validated the vision and innovation we brought to this space over five years ago.

We were happy because we were the first ones to flip this problem on its head. While other companies were selling security feeds to security teams we felt the best way to solve this problem was to empower the developers at construct and build time. Our bet was that if we put the information developers needed right in the tools they already use, like IDE's and CI systems, they would naturally gravitate to doing the right thing. So for us to see so many more developers getting this kind of feedback tells us our bet was correct while raising awareness across a much larger audience.

The timing was great as well. We had a new web property in OSSIndex with what we felt was better data than most other public sources because we had a way to reduce the false positives inherent in this approach. Initially we worked to get OSSIndex data into the OWASP Dependency Check tool and the Maven enforcer plugin but when we heard Github was going to roll out support for JavaScript we said we'd add our Java data and today we're seeing a growing number of projects turning on our DepShield offering on Github.

We introduced DepShield in August, and you'll notice that we've already added JavaScript support as well, with plans to add Python in the near future. OSSIndex and our free tier of data allows us to get in front of as many developers eyes as possible and help shape a cultural norm, among developers, of dependency awareness and management.

As I approach my four year anniversary here at Sonatype, I can reflect back. In my first year, we had to do a lot of education as to why this was even a problem that needed to be addressed. In years two and three, we saw analysts starting to do that education for us, as they embraced 'software composition analysis' as an important new discipline in the emerging DevSecOps world. Their reports drove adoption within large, corporate, IT shops. This year, we're seeing exponential growth with our original target audience, the developers themselves, and no one is happier about that than all of us at Sonatype.

Picture of Curtis Yanko

Written by Curtis Yanko

Curtis Yanko is a Sr Principal Architect at Sonatype and a DevOps coach/evangelist. Prior to coming to Sonatype Curtis started the DevOps Center of Enablement at a Fortune 100 insurance company and chaired a Open Source Governance Committee. When he isn’t working with customers and partners on how to build security and governance into modern CI/CD pipelines he can be found raising service dogs or out playing ultimate frisbee during his lunch hour. Curtis is currently working on building strategic technical partnerships to help solve for the rugged devops tool chain.