Skip to main content

Open Source Security and Risk Management

Open source software plays a critical role in the software landscape, with studies showing that over 90% of codebases contain open source components. While it accelerates development and innovation, it can also introduce security risks if not managed carefully. By assessing the components listed in your Software Bill of Materials (SBOM) against OWASP Top 10 risks helps to uncover risks such as outdated or unmaintained components, ensuring your OSS dependencies remain secure, reliable, and up to date. Running OSS risk checks plays a vital role in strengthening your software supply chain and maintaining trust in your applications.

After completing the SBOM Orchestration step for your artifacts or repositories, the SBOM tab will display the below components marked with specific icons that indicate their current status.

  • Outdated Components ⚠️

  • Unmaintained Components ❌

  • Vulnerabilities in SBOM Components

note

We set the refresh interval for OSS component data to every 2 days. After you run the SBOM Orchestration step, the data is updated asynchronously within 5 – 10 minutes.

Outdated Components (OSS Risk - 5):

A component is considered outdated when its current version is lower than the latest available version. In the SBOM tab, outdated components are indicated by a warning symbol next to their version. Create a Jira ticket to update the component version to the latest available version.

Unmaintained Components (OSS Risk - 4):

An unmaintained component is one that has not received any version upgrades in the past year. In the SBOM tab, such components are marked with an alert symbol. Create a Jira ticket to replace it with an alternative component.

Vulnerabilities in SBOM Components (OSS Risk - 1):

After you run the SBOM orchestration step followed by the STO Snyk scan, the SBOM tab displays vulnerabilities for the components identified by Snyk. This helps you effectively identify and prioritize open source risks

You can also filter out the components, based on the OWASP Top 10 Risks.

Create Jira Ticket

You can select unmaintained and outdated OSS components and create a Jira ticket to fix the issue. Once the ticket is created, its number and current status will be displayed. Any changes to the status of the ticket will automatically sync and be reflected in the side panel.