Rust Security

Since today VersionEye has support for Rust security vulnerabilities. Altogether VersionEye is aggregating 8 security databases now. If a Rust package is vulnerable the security issue is showed directly on the Rust VersionEye page. Here an example:

Screen Shot 2017-07-12 at 13.56.56

If VersionEye is monitoring a Rust project for you and one of your dependencies is vulnerable you will get notified via email.

Try out this new feature and give us feedback. We would love to hear from you.

 

Integration with Snyk.IO

Snyk.io is a new StartUp in the security field. Their goal is not just to find new security vulnerabilities, but also to fix them automatically. Currently the Snyk team is focused on security vulnerabilities for Node.JS/NPM packages. We work close together with the Snyk team and just finished the first integration. Now the Snyk security database is available through VersionEye as well. Here is an example how a Snyk security vulnerability looks on a VersionEye page:

Screen Shot 2016-08-04 at 13.25.56

Of course the new security vulnerabilities are available for your private Git projects as well. VersionEye can monitor your Node.JS project on GitHub or Bitbucket and notifies you about security vulnerabilities in your 3rd party dependencies.

Screen Shot 2016-08-04 at 15.12.34

This is just the first integration step with Snyk. There will be an even deeper integration with snyk.io in the future ūüėČ

Now VersionEye is aggregating 7 security databases and more are coming soon!

Mute Security Vulnerabilities

VersionEye is aggregating different security databases and notfies you about security vulnerabilities in your projects. Sometimes one of your dependencies is affected by a security vulnerability but it’s not relevant to you because maybe your application is not exposed to the Internet. In that case you don’t want to receive the same security notification from VersionEye again and again. That can be annoying! That’s why you can mute security vulnerabilities now.

Screen Shot 2016-06-22 at 11.17.06

In the security tab below each security vulnerability there is a “mute” button now. If you click on it a modal dialog shows up where you can type in a reason why this is not relevant for you. The first security vulnerability in the above image is muted and the reason is displayed directly next to it.

If all security vulnerabilities in the project are muted you will not receive any security notifications anymore for that project.

We hope this new feature is useful to you.

Security PDF

Maybe you know already the License PDF export feature at VersionEye. Now there is PDF export available for the security tab as well. You find the download link in the project detail view in the security tab.

Security-PDF

This PDF export contains a list of ALL dependencies from the project and sub projects with their security status and the date of export. Here you can see how the PDF looks like on my pet project.

Securiyt-PDF-Export

At the bottom of the document all vulnerable dependencies are listed with their security vulnerabilities and according links.

This is a very new feature. If you find a bug or you have an idea how to improve it, please let me know. Leave a comment here or contact VersionEye at Twitter.

Security Alerts for Java & Python

A couple months ago VersionEye started to track security vulnerabilities for PHP packages. A couple weeks ago the feature was rolled out for Ruby & Node.JS dependencies as well. And now it’s rolled out for Java & Python!

Now you will see the security tab in your Java & Python projects as well. Just like in the example here.

VersionEye-Java-Project-Security

If you click on the dependency link above you will come to the package detail page where more details to the security issues are visible.

VersionEye-Java-Project-Security_2

If your project dependencies are affected the dependency badge turns to “insecure”, showing everybody that some of the dependencies have security issues.

The security feature is available via the VersionEye API as well. You can filter by language and prod_key. Feel free to build your own integration on it ūüôā

VersionEye-API-Security

VersionEye notifies you about security vulnerabilities independently from the version & license notifications. The security notification emails are going out on each Tuesday.

Currently VersionEye is crawling 6 different security sources for this feature. For Java & Python we are using the victims db, which claims to have 0 false positives. Please contribute to this db if you know about a Java or Python security vulnerability and help to make the world a safer place.

Do you know more good security databases which you would like to see integrated with VersionEye? If so contact me on Twitter please.

Security Alerts for Ruby Gems

Since a couple weeks VersionEye shows security issues for PHP projects. Now this feature works the same way for NodeJS and Ruby packages. If VersionEye is monitoring a Gemfile for you, then you will see the ‚ÄúSecurity‚ÄĚ tab in the project view. Just like here in this example.

VersionEye-Ruby-Security

In the ‚ÄúSecurity‚ÄĚ tab all known security vulnerabilities are listed for your 3rd party dependencies. If there is a security issue the dependency badge turns red! By clicking on the package name the package detail page comes up with a more detailed description of the security¬†vulnerability.

VersionEye-Ruby-Security_2

On the detail the page a detailed description of the security¬†vulnerability shows up and a link to the original source. That way it’s easy to reproduce the¬†security¬†vulnerability.

Now there is now reason not to use VersionEye. You get notifications about:

  • out-dated dependencies
  • license violations
  • security¬†vulnerabilities

This feature is pretty new, but already good tested through the PHP community. Your feedback is anyway welcome either here in the comments or on Twitter.