Mastodawn

OSS Review Toolkit

OSS Review Toolkit(ORT)은 소프트웨어 구성 분석(SCA), 라이선스 준수, 취약점 관리 등을 지원하는 모듈형 오픈소스 도구 모음입니다. Analyzer, Downloader, Scanner, Advisor, Evaluator, Reporter 등 6가지 도구로 구성되어 있으며, 다양한 패키지 매니저와 취약점 데이터 제공자를 통합해 소프트웨어 공급망 리스크를 체계적으로 관리할 수 있습니다. 각 도구는 독립적으로 또는 연동하여 사용 가능하며, SPDX, CycloneDX 등 표준 SBOM 생성도 지원해 AI 개발 환경에서 라이선스 및 보안 컴플라이언스 자동화에 유용합니다.

http://oss-review-toolkit.org/ort/

#softwarecompositionanalysis #licensecompliance #vulnerabilitymanagement #sbom #opensource

OSS Review Toolkit

A suite of CLI tools to automate software compliance checks.

anchore May 26, 2025

When using open source software, YOU become the security supplier.

Discover how SCA scanning helps manage this responsibility and protect your applications from vulnerabilities like Log4j and XZ Utils: https://anchore.com/software-supply-chain-security/software-composition-analysis/

#SoftwareCompositionAnalysis #SCA #OpenSource

anchore May 20, 2025

With up to 90% of applications built on open source code, SCA tools are no longer optional—they're essential.

Learn how Software Composition Analysis protects your organization from supply chain vulnerabilities: https://anchore.com/software-supply-chain-security/software-composition-analysis/

#SoftwareCompositionAnalysis #SCA

Everything You Need to Know About Software Composition Analysis (SCA)

Learn the ins and outs of software composition analysis along with expert tips for implementation from the cybersecurity experts at Anchore.

Anchore

Rene Robichaud Jan 17, 2025

Google Releases Open Source Library for Software Composition Analysis
https://www.securityweek.com/google-releases-open-source-library-for-software-composition-analysis/

#Infosec #Security #Cybersecurity #CeptBiro #Google #OpenSourceLibrary #SoftwareCompositionAnalysis

Antonio Francesco Sardella Nov 7, 2024

Your CI/CD pipeline is vulnerable, but it's not your fault - Elad Pticha, Oreen Livni

https://youtu.be/3dHZ-l3XSsE

#defcon32 #security #cybersecurity #infosec #hacking #appsec #applicationsecurity #cicd #gha #github #githubactions #sca #softwarecompositionanalysis

DEF CON 32 - Your CI CD Pipeline Is Vulnerable, But It's Not Your Fault - Elad Pticha, Oreen Livni

YouTube

Antonio Francesco Sardella Sep 28, 2023

https://stiankri.substack.com/p/manifest-confusion-in-pypi

#security #cybersecurity #websecurity #appsec #applicationsecurity #hacking #python #pypi #manifestconfusion #supplychain #dependencies #sca #softwarecompositionanalysis

Manifest Confusion in PyPI

How some Python tools interpret dependencies differently.

stiankri's blog

InfoQ Sep 13, 2023

⚠️ Beware of "alert fatigue" in your security processes!

Learn why integrating #SoftwareCompositionAnalysis in your CI/CD pipeline is crucial for safeguarding your software from vulnerabilities: https://bit.ly/3LnT6Ci

#InfoQ article by Lukáš Křečan

#Java #SCA #CI #CD #SecurityVulnerabilities

Dealing with Java CVEs: Discovery, Detection, Analysis, and Resolution

This article discusses the role of SCA in CI/CD pipelines, emphasizing human oversight for accurate vulnerability assessment and the importance of specialized security tools.

InfoQ

Gareth Emslie 🇿🇦 🇪🇦 🇨🇭Dec 28, 2022

Log4Shell, a critical vulnerability discovered in December 2021 and officially tracked as CVE-2021-44228, has had a long-lasting impact, prompting enterprises to adopt software composition analysis and secure supply chain management practices. Despite receiving patches and widespread attention, it remains a common cause for security breaches a year later. https://www.csoonline.com/article/3684108/log4shell-remains-a-big-threat-and-a-common-cause-for-security-breaches.html#tk.rss_all #Log4Shell #CVE2021-44228 #SoftwareCompositionAnalysis #SecureSupplyChainManagement

Log4Shell remains a big threat and a common cause for security breaches

Log4Shell is likely to remain a favored vulnerability to exploit as organizations lack visibility into their software supply chains.

CSO Online

Antonio Francesco Sardella Nov 30, 2022

"Invisible npm malware – evading security checks with crafted versions" by Or Peles, JFrog Vulnerability Research Team Leader

https://jfrog.com/blog/invisible-npm-malware-evading-security-checks-with-crafted-versions/

#npm #appsec #applicationsecurity #security #cybersecurity #sca #softwarecompositionanalysis #malware #evasion #jfrog #dependencies #infosec #hacking

Invisible npm malware - evading security checks with crafted versions | JFrog

The npm CLI has a very convenient and well-known security feature – when installing an npm package, the CLI checks the package and all of its dependencies for well-known vulnerabilities – The check is triggered on package installation (when running npm install) but can also be triggered manually by running npm audit. This is an …

JFrog