Open Source Vulnerability Scanning

Overview

Bridgecrew scans open source modules used in your software and alerts you to vulnerabilities before deployment by CI/CD pipelines.
This scan is based on our vulnerability database which is enriched by Prisma cloud security’s Unit 42 researchers and many more open sources for known vulnerabilities and exposures. This allows Bridgecrew to detect vulnerabilities that were only recently disclosed, and even those that have been quietly patched.

Enabling Open Source Vulnerability Scanning

Open Source modules are scanned automatically if your integrated repository contains a supported package manager file.

Scan Results

Alerts found during open source module scanning appear in Projects and in the Checkov CLI.
To filter for open source vulnerabilities on the Projects page, select vulnerabilities and search for package files.

For each vulnerability the following details are shown:

  • CVE identifier
  • CVSS (CVE score)
  • Vulnerability description
  • Link to CVE report
  • Name of the package relevant to this CVE
  • Version of the package relevant to this CVE
  • Severity
  • Indication if a fix is available

Risk Factors Explained

For each vulnerability found, Bridgecrew supports the following risk factors, that can help you identify the context of the issue better:

  • Remote execution — Vulnerability can be exploited to run arbitrary code.
  • DoS — Component is vulnerable to denial of service attacks, such as buffer overflow attacks, ICMP floods, and so on.
  • Recent vulnerability — Vulnerability was reported in the current or previous year.
  • Exploit exists — Code and procedures to exploit the vulnerability are publicly available.
  • Attack complexity: low — Vulnerability is easily exploited.
  • Attack vector: Network — Vulnerability is remotely exploitable. The vulnerable component is bound to the network, and the attacker’s path is through the network.
  • Reachable from the internet — Vulnerability exists in a container exposed to the internet.

Remediation

Remediation of open source vulnerabilities is done by bumping the package version.

📘

Notes on Fixing Vulnerabilities in Open Source Modules

  • All CVEs found in the same package are included in a single error.
  • Each CVE may require a different version for remediation.
  • By default, Bridgecrew bumps the package to the lowest version that successfully fixes all of the CVEs in the package.
  • If you want to bump to a version that is only partially compliant (for example to avoid impacting code dependent on the module), you can deselect from the fix CVEs that require a higher version number than you want to bump to.

Package Manager Types Supported

Currently, Bridgecrew supports scanning of open source modules for these package managers: Python, Java, Go, and JavaScript (Node.js).

Language/Package Manager

File Types

Java (Gradle)

build.gradle
gradle.properties
build.gradle.kts

Java (Maven)

pom.xml

Python (pip)

req*.txt

JavaScript + typescript (NPM)

package-lock.json
package.json
npm-shrinkwrap.json
bower.json

GO

go.sum
go.mod


Did this page help you?