Alternative tools are prone to false positives and negatives because they scan apps “as declared” and trust developers to disclose the truth about dependencies embedded in software.
Sonatype scans apps “as deployed” utilizing Advanced Binary Fingerprinting (ABF). The result is a precise read on embedded dependencies and a Software Bill of Materials (SBOM) that reflects the truth about third-party risk. ABF identification utilizes cryptographic hash for binaries, structural similarity, derived coordinate, and file name. It can even identify renamed or modified components whether they were declared or not, misnamed, or added to the code base manually.
The recent Octopus Scanner is a great example of why scanning the manifest is not "good enough" to identify malicious components being injected into our software supply chains.
Public databases like NVD provide a relatively small and typically outdated view of open source security vulnerabilities.
Sonatype Intelligence however, delivers a universal and timely understanding of open source security risk. It has ingested and analyzed more than 96 million components and it never stops learning, using artificial intelligence and machine learning to dynamically monitor every GitHub commit to every open source project, advisory websites, Google search alerts, OSS Index, and a plethora of vulnerability sites. Additionally, new vulnerabilities are regularly discovered by our own researchers and added to our proprietary knowledge base.
Sonatype Intelligence also sees things that others simply can't, continuously gaining insight from more than 4 million instances of Sonatype Nexus Repository Manager, and from 146 billion components requested annually from The Central Repository.
Whenever new vulnerabilities are disclosed or discovered our team immediately validates the exploit path, identifies the root cause, and creates actionable information to help organizations (and development teams) evaluate, triage, and remediate threats faster than adversaries can attack. Guidance is carefully curated and written for easy consumption by frontline software developers. Instead of cryptic security alerts that are difficult to decipher, Sonatype Intelligence provides developers step-by-step instructions on how to detect and remediate the vulnerability, including upgrade path and the root cause, relative risk of other component versions, and workarounds to avoid refactoring code.
Sonatype Intelligence is the only security research service that actively practices “secondary expansion,” an extra level of investigation to determine if newly discovered vulnerabilities are also present and exploitable in other components. It’s important to go the extra mile because it's common for open source projects to borrow code from other projects. Simply stated, if a single vulnerability exists in multiple libraries, we automatically let you know. Over the past 5 years, we've associated vulnerabilities to 3 million more components than public databases. Learn more about the npm event stream attack and how we identified additional vulnerable components via secondary expansion.
Whenever new open source vulnerabilities are disclosed, criminals immediately begin looking for opportunities to exploit them in the wild. As a result, it’s literally a race between “bad guys” and “good guys” to see who acts first. Companies lose when bad actors are able to exploit open source vulnerabilities faster than they can remediate them.
When it comes to managing the constantly evolving security threats within open source, speed is absolutely critical. That’s why Sonatype Intelligence works 24x7x365 to stay abreast of the changing threat landscape and publishes detailed information on new vulnerabilities 10X faster than NVD.
Over the past two years, more than 20 instances of adversaries intentionally publishing malicious components into public open source and container repositories were recorded. Open source projects impacted by malicious injections have been difficult to detect because, on the surface, they look no different than other open source code contributions.
To combat this new type of attack, Sonatype developed patent-pending technology to monitor millions of open source projects in real-time to identify abnormal development behavior and suspicious patterns as new component versions are released. Now developers and security teams alike can see within Sonatype Intelligence when a component version has been detected as malicious code.
From our humble beginning as core contributors to Apache Maven, to supporting and maintaining the Central Repository, OSS Index, and the Central Security Project, we’ve long played a meaningful role in helping the global community of software developers embrace the power of open innovation. We're passionate about the community and we're dedicated to providing premium security research to help owners and consumers of open source projects minimize risk and maximize value.