from Hacker News

Ask HN: Why is open source vulnerability management still an unsolved problem?

by kjok on 7/27/23, 7:35 PM with 1 comments

We saw many startups (including YC) recently working on open source vulnerability discovery and patching. Curious to understand why this is still an unsolved problem when Dependabot (and other similar tools) can do this fairly well. Where specifically do the existing tools fail? Appreciate your insights.

  • by GEBBL on 7/27/23, 7:45 PM

    Dependabot it is good for scanning dependencies of popular languages but it does not pick up ‘code smells’ like sonarqube would.

    In addition, some vulnerabilities only appear at build time, so you would need to add in scanning during the pipeline.

    It’s hard to get a full picture of the entire build process, and even still, vulns do get through, for example you forget to implement logic to prevent people from seeing the administration section of your app.

    Security is part machine, part human effort - hard to catch everything, on top of the millions of projects and repositories out there, not all of them on GitHub.