WhiteSource Addresses

OWASP A9 Recommendations

Avoid Using Components With
Known Vulnerabilities

How Do We Secure Your Open Source

The Open Web Application Security Project (OWASP) top ten list warns software companies from using components with known vulnerabilities (OWASP A9).
With our tool, you don't have to worry about it, at all. WhiteSource will:

  • Identify open source components in your product automatically, including all dependencies
  • Get real-time alerts when a new CVE that impacts one of your components is released or when a new version or a patch that fixes one of your vulnerable components is released
  • Get actionable remediation suggestions so you can fix problematic components
  • Continuously monitor your product, even after release, based on your latest inventory report


Want to ask us a question? Contact us at

Read our annual report that brings the latest in open source vulnerability management

Microsoft Recommends WhiteSource

“We want Microsoft’s users to have access to the best industry solutions for open source management. That’s why we reached out to partner with WhiteSource. WhiteSource is a thought leader in the Rugged DevOps space and we are happy that this partnership will bring the confidence, time and money savings they deliver to their customers.”

Sam Guckenheimer, Product Owner, Microsoft

Are You Aware of Security Vulnerabilities in Your Product?

You are going to great lengths to make sure that there are no oss security vulnerabilities in the software you develop, but what about the open source components you use?

Hundreds of open source security vulnerabilities are discovered and reported every year and hackers can easily take advantage of them.
Therefore, the response to released security vulnerabilities should be immediate.

The problem is that tracking open source vulnerabilities in your product manually is nearly impossible.

CVEs usually don’t specify the version of the component they are related to, so engineers need to check every single CVE manually to see if it impacts their products. Impractical!

Until Now.
WhiteSource automatically detects all security vulnerabilities related to the open source components in your product and alerts in real-time throughout the software lifecycle (SDLC):

  • Inform developers about security issues while they are searching for new open source libraries.
  • Alert whenever a problematic component is added to the build, so it is easier to remediate.
  • Warn when a new open source vulnerability is discovered in your product, even if it’s a released product.
  • Provide information on patches or new versions that fix these issues.

Not sure if you’re using components with known vulnerabilities? Check what hides in your product.
Start your free trial today.

WhiteSource Scores Strongest Current Offering in Forrester's 'Software Composition Analysis' Report

WhiteSource Benefits

Comprehensive Coverage

Comprehensive Coverage

Supports over 200 different languages, including containers.

Comprehensive Coverage

Pinpoint Accuracy

Proprietary algorithms match security and quality issues to impacted libraries to guarantee no false positives

Comprehensive Coverage

Easy Remediation

Provides validated crowdsourcing fixes to enable quick resolution

Comprehensive Coverage

Largest Vulnerabilities Database

Continuously aggregates information from the NVD, security advisories, and open source projects issue trackers

Comprehensive Coverage

Effortless Workflow

Enforce policies automatically at all stages of the SDLC to automate approval and tracking processes

Do You Know Which OSS Security Vulnerabilities Are in Your Software?

WhiteSource helps you avoid using components with known vulnerabilities, by sending you immediate automatic alerts when:

  • You add components with known security vulnerabilities
  • New security vulnerabilities are discovered in components you’re using, you will even get alerts regarding historic versions you are not actively working on (unlike other tools, such as Black Duck Hub)
  • New fixes are released for any of the components used in your software
  • Updates are available of any of your software’s open source components


How Does WhiteSource Work?

Install the relevant WhiteSource plugin and run your build


Help your developers by using WhiteSource agile solution that:

  • Calculates the checksum for all your components without ever scanning your code (like open source scanning software such as Black Duck Protex, Palamida, OpenLogic, Protecode does)
  • Compares the checksum with WhiteSource’s databases to identify all your open source components, including all dependencies
  • Pulls relevant information like licenses, security vulnerabilities and updates from WhiteSource’s databases
  • Matches the retrieved data with your company’s pre-defined policies
  • Generates immediate up-to-date reports with all components and issues detected


Check out the integrations we offer:



How to Create a Full Inventory Report in Less Than 5 Minutes?

Always up-to-date: WhiteSource reports get updated each time you run your build.

Comprehensive: each report contains complete information about all your open source components including dependencies.

One stop shop: WhiteSource supports all programming languages and development environments (unlike other tools such as Black Duck Hub), so you can view all your products in one dashboard.

Do You Know What Open Source Licenses Are Used in Your Software?

WhiteSource helps you to keep a handle on your open source usage by:

  • Detecting all open source components and licenses used in your product, including all dependencies
  • Creating complete and accurate management and legal reports within minutes
  • Automatically enforcing your compliance policy to ensure your developers only use licenses that you approve (including special automatic approval processes with complete history tracking)


Do You Have an M&A on the Horizon? Are You Ready for It?

WhiteSource will enable you and the acquiring team to gain full control of the open source in your software, by automatically:

  • Discover all your open source components and dependencies
  • Enforce license risk and compliance policy
  • Identify all known security vulnerabilities in your product


How to Set up an Open Source Policy in Less Than 5 Minutes?

You can set up a compliance policy based on a range of conditions, for example:

  • Blacklist or whitelist the license types that you approve or disapprove. Any license type that’s not listed will require management’s approval or it can fail the build
  • Security sensitivity severity as defined in the CVE
  • Additional conditions like: Library name, new versions, library age etc.