Black Duck Software, creator of a system for scanning open source codebases and detecting known software vulnerabilities, is partnering with Red Hat to bring Black Duck Hub analysis tools to Red Hat's OpenShift PaaS.
The growth of open source in the enterprise has brought with it the need to understand that open source doesn't automatically mean free of vulnerabilities.
According to Red Hat and Black Duck, the first phase of the collaboration involves scanning all containers registered with OpenShift. Black Duck Hub has "detailed data on more than 100,000 known open source vulnerabilities across more than 350 billion lines of code," and new vulnerabilities are added to the Hub as they come to light.
Because the screening process focuses on components, rather than whole applications, it analyzes the contents of containers whether they're third-party apps or in-house creations made from open source components.
Concerns about vulnerabilities in containers aren't easily dismissed. Containers are immutable, meaning the software in them isn't changed when used in production. But that also means any flaws with the software remain unchanged unless the container is updated manually. The problem is complicated further if the container is deliberately not updated due to reproducibility. Black Duck Hub can provide insights into vulnerabilities that exist in older software that needs to be kept in use.
Black Duck's open source tools were originally designed to audit enterprises to see if they were inadvertently violating the licensing for open source code used in their projects. Licensing compliance functionality is still part of Black Duck Hub, but security and vulnerability scanning are now arguably more of a concern to enterprises. Controversies over licensing tend only to affect open source applications repurposed for public use, but vulnerabilities theoretically affect any application, public or private.