You are probably using hundreds of open source libraries, frameworks and other software
hosted on github or similar.
You may also have internal development teams with their own internal git repositories.
Development teams have their own processes for working on security issues. Can you keep track of when or exactly in which version an issue was fixed, with 100% confidence and can your security processes consume this information?
To keep track of changes in open source software you typically go to their issues list or security fixes page, if they have one, to find out when an issue was fixed.
Considering that you are using maybe hundreds of software components from
internal and external sources, this is a time consuming and error prone process.
You are probably unable to track all of them.
Even if you are somehow manually managing this process, the information will not be easily consumable by other processes. For example, if you have a guy managing this information in a spreadsheet, this information will not be easily usable by others, let alone being consumed by an automated process.
VulnIQ can monitor git repositories and automatically fetch and process all commits, indexing and correlating them with other VulnIQ data.
For example if you are an Apache httpd user, you can configure VulnIQ to monitor Apache Httpd
github repository and VulnIQ will automatically process commits and determine relevant commits and add them make
to the VulnIQ dataset.
For example here you can see latest relevant code changes from Apache Httpd source code repository using VulnIQ free version.
When a commit references a CVE number, or any other significant object,
VulnIQ will automatically save the commit information to its internal database and
correlate the commit with other data.
When you view CVE information you will be able to see the commit that actually fixed the issue and releases that contain the code fix.
VulnIQ uses a fully featured git client library to process changes and its git support is not limited to
specific service providers such as github.
You can configure it to monitor your internal git repositories too.