Open source security company SourceClear said it is integrating Atlassian’s suite of developer tools including Bitbucket Pipelines, JIRA Server, JIRA Cloud, and Bamboo into the company’s open source platform. The integration will result in automated security checks being a part of the developer workflow before they ship code.
These new add-ons are enhancements to SourceClear’s platform and includes all the information about open source code vulnerabilities and security policies. These open source libraries can now be plugged into the Atlassian developer tools so that every time a developer carries out their work, they will be notified of vulnerabilities in the code, says Mark Curphey, CEO and Founder of SourceClear.
There are central distribution directories of open source libraries — typically one for each language, Curphey says. The developer picks a library they want to work off of and finds a place in the code that is relevant to what they are working on. The SourceClear platform then automatically scans the library for vulnerabilities. Additionally, SourceClear updates its platform with new code releases and open source licenses.
SourceClear was founded in 2013 and has about 30 employees. In October 2015, the San Francisco-based company raised a $10 million Series A led by Index Ventures and participation from Storm Ventures.
The company has some big-name customers, including LinkedIn, Uber, PlayStation, and Gap.
“Why SourceClear is special is that we are a machine learning company that sweeps across all libraries and points out where the same issues occur in other libraries,” Curphey says. “It is constantly doing this in the back end, and when a developer fixes the code, the fix is applied across all the other libraries.”
While there is a National Vulnerability Database that is run by the government, Curphey clams that it contains only a tiny portion of the published vulnerabilities in open source code. SourceClear will tell developers exactly what the risk is in a given line of code, how to fix it, and applies that fix to other libraries.
However, when developers are looking to find vulnerabilities in open source code, 90 percent of the time they are finding false positives, Curphey says. This is why building a reliable call graph is essential to SourceClear’s technology.
A call graph is a debugging aid that a developer would use when trying to figure out why a particular line of code is failing. It figures out every possible way of looking at the code and traces it back to the open source library where it was taken from, enabling developers to see beyond false positives.
Being able to use a call graph and examine code can only happen inside of the building process, which is why forming these partnerships in the world of DevOps is crucial for SourceClear.
Curphey claims that SourceClear is fully integrated with all the developer tools including Travis CI, Jenkins/Hudson, Circle CI, and Codeship. It also works with projects built with Apache Maven, Gradle, Bundler, NPM, Bower, and pip.
“In a world where you need to ship off code as fast as possible to meet demand, it is crucial that you get it 100 percent correct, Curphey says.