Regardless if you’re working as a developer for a small startup or a global enterprise, you’re dependent on other developers when using open source npm packages.
Unfortunately the state of open source software is frequently changing. Problematic versions are detected all the time, so there’s never a guarantee that the components you’re using today won’t cause any problems in the future. As a developer, you need to have a process where you can manage the neverending stream of problems that pop up.
This post introduces you to a new workflow in Bytesafe for how to work with detected problems with packages in your registries. The new feature called Issues allows you to track problems so that it is easy to follow progress and see their remediation.
Let’s move on!
Access to the real truth by tracking issues across all registries
Applications having hundreds of dependencies is a typical scenario. Keeping track of all problems that arise can be a challenge for any company, especially if you don’t have a structured process in place. Only scanning registries once in a while or periodically looking for new vulnerabilities or license compliance issues is not a sustainable solution to stay secure.
With the introduction of Issues you get an automated workflow and a holistic view of packages that require your attention.
The plugins and policies in Bytesafe continuously monitor actions made to your registries and scan your existing packages for potential problems. If anything is detected issues will immediately be created for you, notifications will be sent out and from there the workflow is straight forward. This saves resource time which instead can be used to remediate issues!
Clicking on Issues in the menu will show all issues across your registries. You’re able to filter the view based on issue status, type, severity or private registry. If you are looking for something specific you can also search among the issues.
Stakeholders are now able to see the real truth. Stay up to date with a snapshot view of potential risks that need to be mitigated without having to ask developers for assistance.
Issue metrics in the dashboards
The dashboards for the workspace and individually for each registry show metrics with detected issues grouped by severity level. The metrics are linked and give quick access to the issues filtered depending on what metric you clicked on.
Track the remediation of open issues
Keeping your open source libraries up to date is key. Issues in Bytesafe contain relevant information on why an issue was created and notify you when something needs your attention.
Each issue is uniquely identified with a numeric identifier so that it is easy to refer to and share with others. All issues have a type, title, description, status and severity. If you decide to change severity levels, titles or descriptions you can do that by changing the values or editing the text.
Issues can be linked by referring to other issue IDs in comments. Bytesafe also keeps track of similar issues, for example other issues caused by the same security advisory in different registries.
Anyone interested in getting notifications for a particular issue can just add themselves as a watcher and stay updated.
Track changes in the Activity log
From an audit point of view, development teams are expected to know when packages were added to a registry, when issues were detected, what apps were impacted and finally when the issues were remediated.
Bytesafe helps by tracking all updates and changes to package versions in the Activity log where it is easy to follow what actions have been made. This is often requested information by organizations that require traceability, such as regulated businesses.
Now you’ll quickly be able to give incident managers, risk officers, auditors and other stakeholders a fast response - no more digging in logs, Slack or similar.
All issues are shown as clickable badges on the package card as seen in the examples below.
Upstream issues - warning you of supply chain attacks
Issues in Bytesafe are not only for advisory and license issues. Upstream configuration issues are also available.
Upstream issues are opened in scenarios where the same package version is found in multiple external upstreams, with non-matching contents. A potential indicator for dependency confusion or other supply chain attacks.
Read more about different issue types in Bytesafe in our docs.
Being exposed to risks such as vulnerabilities and license compliance issues is inevitable when using open source components. That’s why we need proper tooling to help us keep track of issue remediation and to reduce risk exposure. Hope you’ve learned how Bytesafe can help you in this regard.
Start tracking your issues today!