Frequently Asked Questions
Find answers to common questions about SafeDep, open source security, and software composition analysis.
What is Software Composition Analysis (SCA)?
SCA is the process of identifying various components that make up a software artifact. Typically SCA tools identify OSS dependencies and their vulnerabilities by matching versions against known vulnerabilities. SCA tools are known to be noisy and inefficient due to lack of contextual risk identification. Next-gen SCA tools attempt to eliminate noise through reachability analysis.
Do I need proactive guardrails against risky OSS components?
You need proactive guardrails against risky OSS components. Fixing risky OSS components typically involves upgrading to a patched version when available or migrating to a safer dependency. This is notoriously hard in large codebases. Hence proactive guardrails must be put in place to ensure unmaintained or untrustworthy OSS dependencies are not introduced in the first place.
How is SafeDep different from conventional SCA?
SafeDep aggregates OSS security metadata and determines safety of OSS components not just based on vulnerabilities but also on other important attributes such as licensing, popularity, OpenSSF scorecard, malicious intent, and more. SafeDep also provides policy as code to enforce your opinionated security guardrails.
What if a critical vulnerability found in an unmaintained OSS dependency?
You will have to analyse and fix the vulnerability in-house. Alternatively, SafeDep can help you provide a patched and backward compatible version of OSS package mitigating critical vulnerabilities.
How do I deploy vet and SafeDep Cloud?
vet is free and open source. You can get started for free. SafeDep helps deploy, manage and operate vet at scale, across 1000+ repositories. SafeDep is a multi-tenant cloud service. However, it can also be self-hosted on-premises for meeting compliance requirements
Why is SafeDep "developer first"?
We believe the future of cyber security is close collaboration between security and engineering teams. These teams are likely to build organization and platform specific security solutions. SafeDep intends to help security engineering teams to achieve safe and trusted OSS guarantees for their internal developer platform.
Have More Questions?
Get in touch with our team to learn more about how SafeDep can help secure your open source dependencies.
