Frequently asked questions (FAQ)

Is Debricked’s service on prem or SaaS?

At present, we are only providing a Software as a Service (SaaS) solution.

What type of scanning does Debricked do?

At Debricked, we utilize manifest-based scanning, which effectively identifies security issues across a wide range of file formats. While binary scanning is often considered superior due to its ability to produce fewer false positives, it can overlook critical security vulnerabilities, supply chain attacks, and licensing problems. Additionally, binary scanning does not account for test and build dependencies, which can still present risks, unlike manifest-based scanning.

Manifest-based scanning identifies components listed in your dependency files, while binary scanning analyzes and fingerprints binary files. Binary scanning can be useful when source code or package managers for installing dependencies are unavailable. However, it does not include development and test dependencies, which can pose significant risks. Manifest-based scanning is more effective at identifying vulnerabilities and compliance issues, making it better suited for the developer workflow. For vendor code and C++/C scanning, Debricked can scan an SBOM if the vendor provides one.

Ultimately, the decision between manifest scanning and binary scanning depends on your workflow and objectives. At Debricked, we emphasize automation and tools that enable developers to identify and resolve issues swiftly and accurately. This is why we concentrate on manifest scanning.

How accurate is the service in finding a vulnerability?

Our service will detect any open-source vulnerabilities in your repository, drawing information from various sources, including but not limited to the NVD Database, NPM, C# Announcements, FriendsOfPHP’s security advisories, the Go Vulnerability Database, the PyPA Python Advisory Database, GitHub Issues, GitHub Security Advisories, mailing lists, and more. These sources are updated every 15 minutes to ensure that we identify as many vulnerabilities as possible.

Debricked has found a wrong dependency. What should I do?

If you think Debricked has identified an incorrect dependency, you can manage and override your dependency matches using our CLI.

What is meant by “increased computation” for enterprise customers?

For our enterprise customers, we increase the number of available workers to allow for scanning more files simultaneously, which can greatly enhance scan speed.

To what extent can root fixes break the code?

When root fixes cause issues in the code, you should manually update the dependencies. There is always a risk of breaking changes when updating these dependencies, and the extent of that risk varies with each update. While the risk is not inherently greater with root fixes than with indirect fixes, we can ensure that we will not compromise the dependency tree by introducing a version of a dependency incompatible with its upstream dependencies.

How long do I need to wait to request a second password reset?

You must wait one hour before you can request a second password reset.

Is there a way to restrict what repositories certain users can see?

Role Based Access Control, our Enterprise feature, enables granting and enforcing access to functionalities and integrated repositories by assigning predefined roles to users.

Is it possible to extract a pie chart or other visualization of the identified licenses and dependencies?

You can export licenses, including both licenses and dependencies, in an Excel format, which allows you to create a pie chart. Alternatively, our API can assist you with this.

What do we classify as a “scan”?

We perform a scan every time a developer commits code, irrespective of the size of the changes.

Does Debricked run on a PC, or does it upload data to your servers?

There are several ways to run our service. One option is to manually upload your dependency files; however, it is more common to integrate our service into your test pipelines through platforms like GitHub or GitLab.

How do you distinguish between frequent and sporadic contributors?

We examine averages and review the list of committers on a monthly basis. We understand that many businesses have a certain number of "non-developer" committers, such as bots or students who participate for a limited time. To address this, we communicate with our customers to determine the actual number of contributing developers and incorporate that information into the contract.

What measures does Debricked implement to prevent and detect vulnerabilities?

Debricked implements following measures to prevent and detect vulnerabilities:

• Use our own service to find known vulnerabilities in our dependencies

• Conduct third-party penetration tests

• Continuously run our own penetration tests internally

• We have a vulnerability disclosure program that allows bug bounty hunters to report security issues to us. We provide monetary rewards for interesting findings.

Where is Debricked’s data stored?

Customer data is stored using Google Cloud Platform (GCP) as the service provider, located in the Netherlands.

Where is Debricked’s office located?

Our headquarters is located at Anckargripsgatan 3, Minc, Malmö, Skåne 211 19, Sweden.