SOS (Safe Open Source) with JFrog Xray and Snyk

JFrog Xray and Snyk

Open source software is great. If you check almost every related statistic, you’ll find that usage of Open Source software continues to grow, from robust frameworks (angular.js, React) to databases (MongoDB) to simple things like string manipulations. But along with the benefits of using open source software, come the challenges. When you use an open source package, not only do you get its functionality, you also inherit its vulnerabilities. Not only that, since each package typically uses other packages (aka dependencies) you inherit their vulnerabilities too. For example, which has only 6 direct dependencies actually uses 45 dependencies in total. The npm package itself uses a total of more than 230 dependencies.

So you ask yourself, “How safe are all these hidden dependencies?” And the answer is usually, “I don’t know.” (How can you know? You’re barely aware that you’re even using them). Security practices of these companies that create these dependencies is usually not known or disclosed (and perhaps don’t even exist). Most companies have very limited ability to audit open source libraries for security issues, and even if they do, it is usually a “one time” event that does not transcend as newer versions of packages are made available and used. But what about open source packages that “everyone” is using? Those must be safe if so many companies are using them. Wrong, as this exploit of MongoDB, leaving over 28,000 public MongoDB installations hacked, clearly shows. But before you start sending out an SOS, install Xray.

Xray stands tall between you and open source vulnerabilities. Through its deep recursive scanning, Xray takes packages, and layer by layer, drills down to identify dependencies in your software down to the deepest level. Xray cross-references all those dependencies with its extensive global database of vulnerabilities which is aggregated from different sources. And this is where Snyk comes into play. Snyk’s vulnerability database for open source dependencies, which is maintained and curated by Snyk’s dedicated team of cyber security specialists from Israel, is an integral part of Xray’s global database of issues and vulnerabilities and is provided with Xray out-of-the-box. When Xray identifies open source dependencies with vulnerability data provided by Snyk, it will include a link to additional information on the vulnerability on Snyk’s platform. Through the Snyk service, you not only get vulnerability scanning, but you also get “one-click” vulnerability remediation, vulnerability prevention and vulnerability alerting. By offering scanning, remediation, protection and alerting, Snyk reduces your “vulnerability window” – the time during which a vulnerability may exist in your code, and also reduces the overall “time to fix” – the time between discovering a vulnerability in your code and remediating it.

Xray Snyk Flow

Snyk’s security team constantly uncovers new vulnerabilities, and in the process of Xray’s continuous synchronization, adds them to the dynamic feed that makes up Xray’s global database, so when a newly disclosed flaw is discovered in your dependencies, aided by Snyk’s feed, Xray notifies you letting you quickly respond and remediate the flaw. In this manner, Snyk helps protect your software throughout the development lifecycle:

  1. FIND – at first pass,  find all existing vulnerabilities (the “baseline”)
  2. FIX – suggest fixes to the known vulnerabilities helping improve from baseline
  3. PREVENT – prevent introduction of new vulnerabilities – don’t get worse than baseline
  4. ALERT – alert on newly discovered vulnerabilities on existing dependencies

Open source is here to stay.

You’re using it.

You can’t help yourself.

It’s a no-brainer.

But the wealth of open source software also gives you options. Found a security flaw? Change the open source library, or (more likely) just update its version. But to remediate that flaw, you need to be aware of it. In the end, this is the essence of Xray and Snyk. Between Xray’s global database and Snyk’s Vulnerabilty Database, they give new meaning to SOS – Safe Open Source. Isn’t it great that you can now trust your open source software?
Try Snyk for free now by registering on