White Source says that 85% of all software projects loaded to its lifecycle management service by new customers had some out-of-date open source components. The firm says that in response to this it proactively alerts whenever new versions are available, patching bugs and security issues. Altogether, 14% of all libraries in use are out of date.
Suggesting that the reason for this shortfall and disparity is probably because most software developers lack the tools (or the motivation) to continuously monitor new releases of open source components in use. White Source provides a service that automatically alerts customers whenever open source modules in their "inventory" are updated.
From a security perspective, open source software is openly available for hackers to analyze and identify vulnerabilities. Further, while security issues are often fixed quickly by the community, these updates also reveal the security issue being addressed, increasing the vulnerability of those that did not patch their system accordingly.
To address this issue, the White Source Open Source Lifecycle Management service sets out to provide customers with real-time proactive alerts whenever a new version is available for an open source module they use. Importantly, the alerts are limited and specific for a given customer and a given project, eliminating unnecessary sifting work.
According to White Source CEO Rami Sass, "White Source does not alert falsely or unnecessarily since our project-specific inventory is always updated through our integration with development tools. We currently provide plug-ins for Apache Maven and Ant, Jenkins, JetBrains TeamCity, Red Hat OpenShift, and JFrog Artifactory ."
The firm says that its objective is to reduce the burden currently placed on rank-and-file developers, while providing decision-makers with the tools to understand the legal, business, and technical risks of specific open source libraries, and to comply with their licensing requirements.