Shiftleft CORE
ShiftLeft CORE can help you identify open source vulnerabilities and prioritize them based on how problematic they may be to your application's security. Currently, ShiftLeft is capable of scanning for open-source vulnerabilities in applications written in C#, Java, JavaScript, Python, and Scala. Support for Go is currently in beta, and support for other languages is forthcoming.
Supported languages and package formats
Currently, ShiftLeft is capable of scanning for open-source vulnerabilities in applications written in C#, Java, JavaScript, Python, and Scala. Support for Go is currently in beta, and support for other languages is forthcoming.
ShiftLeft supports the following package formats:
| Language | Package format |
|---|---|
| C# – .NET Core and .NET Framework | .csproj, packages.config |
| Go (Beta) | Gopkg.lock, go.mod, go.sum |
| Java/Scala | Maven (pom.xml), Gradle (build.gradle, .kts), Scala (SBT) |
| JavaScript (Node.js) | package-lock.json, pnpm-lock.yaml, yarn.lock, Rush.js |
| Python | The Pipfile, requirements.txt, the requirements directory, poetry.lock or setup.py files |
How ShiftLeft Can Help?
ShiftLeft seeks to help you answer the following four questions when it comes to any common vulnerability and exposure identified as being present due to the use of an open-source package:
- Is the package that contains the CVE loaded by the application?
- Is the package that contains the CVE in use by the application?
- Is the CVE in the package in an attacker-controlled path? Is it reachable via data flows?
- What can you do to mitigate the CVE? Typically, you can't fix an issue in an open-source package, but are there options (other than upgrading) available to you?
In short, ShiftLeft will help you identify CVEs and determine if the CVEs are high-priority items. With that information in hand, you should be better informed when it comes time for you to mitigate the open-source vulnerability.
Videos: Shiftleft CORE
There are no reviews yet.