New Jenkins Plugin Identifies Known Security Vulnerabilities in Open Source Projects

New Jenkins Plugin Identifies Known Security Vulnerabilities in Open Source Projects

By Bill Weinberg, Senior Director of Open Source Strategy at Black Duck Software

With over 4,000 vulnerabilities reported each year in open source software (OSS), it is very likely that a company’s software portfolio contains potentially exploitable OSS components. The first step in building and shipping more secure applications is identifying vulnerable code in your software stack. But that’s no simple task – there can be hundreds or even thousands of open source modules integrated into platforms, middleware, libraries, and utility code; that code can be distributed across different groups and development sites; and the process of vetting open source software for vulnerabilities can be time consuming, slowing down software builds and bringing continuous integration to a grinding halt.

Consequently, developers and DevOps teams often forego securing their wares until late in the software lifecycle, when stakes (and costs) are highest. The results – apps packed with out-of-date open source code with a high probability of latent vulnerabilities – and little or no visibility into this security risk.

Now, developers can download Black Duck’s newly released Free Vulnerability Plugin for Jenkins. This freely available tool lets developers and DevOps managers quickly and easily discover known security vulnerabilities in open source code early in the software development lifecycle, when remediation is less disruptive and costly.

Vulnerability Plugin Screenshot

The Vulnerability Plug-in works by leveraging Black Duck’s KnowledgeBase and by extracting dependency data from the Jenkins build. It streamlines discovery of specific versions of open source software in use, and then cross-references those open source components with databases of catalogued vulnerabilities associated with those modules. The key is automation – the plug-in minimizes the need for exhaustive inspection (human intervention) and doesn’t slow down daily (or hourly) builds and associated Agile sprints. Developers can then export PDF reports listing the vulnerabilities and share them with security teams and architects for easy collaboration and remediation.

Flagging vulnerabilities early in development saves developer time and resources, and ultimately helps deliver better quality code and more security applications. Check it out!
You can download the Jenkins plugin for free HERE.

  • Horcrux7

    How it works? Is there a little more documentation? What I need to configure in every Jenkins Job? How the dependencies are detected? Do you scan for well known file names or how you find it?

    This sounds like a super plugin but the available information are very small.

  • Kaz Nishimura

    Can I use it with Hudson? Not Jenkins but Hudson by the Eclipse Foundation.

    • Kaj Kandler

      Interesting question. Sorry to say, we have not tried it with Hudson. I’d guess at this point we would have to make a different plugin for Hudson, as Jenkins has developed with much more momentum then Hudson since its separation. I’m not aware of any clear documentation as to how compatible plugins are today.

      I’m curious. Could you share how many maven/gradle build jobs you run with Hudson?

      • Kaz Nishimura

        I use Hudson for several Maven-based jobs mainly thanks to its Cascading Job feature which makes it easier to manage many similar jobs by ‘subclassing’. I feel Hudson’s Maven support is more flexible than Jenkins’s because Hudson treats Maven projects as free-style jobs.

  • Vikrant

    Speaking Session @ OSCON by Simon Phipps, Director, Open Source
    Practice, Wipro

    About Wipro’s Open Source Practice

    Wipro is the only SI to commit significant resources into Open
    Source and build a dedicated team focused on growing open source
    usage among customers. Our projects use the latest in the open source
    technology from renowned companies like Red Hat, Acquia,
    Docker,MongoDB,Hortonworks to name a few. Wipro’s GitHub based portal
    allows thousands of passionate open source employees to participate into
    communities of their choice and contribute back code . Our practice regularly
    trains 100’s of employees every month on the latest technologies and encourages
    employees to download components and complete hands on exercises. Regular
    hackathons hone the skills of employees . We encourage employees to think
    outside the box which helps them grow stronger with Wipro.

  • Hello, I am searching different open source plugins for my project and this one is something helpful for me to use. Hope it will be useful for me.