Java & Kotlin - Gradle, Maven, Bazel

This section provides a breakdown of the file formats and features supported in Java/Kotlin.

Debricked currently supports tracking Java or Kotlin dependencies using:

Gradle (using build.gradle and build.gradle.kts files)
Maven (using pom.xml files)
Bazel (using WORKSPACE and install.json files)
File fingerprinting to detect dependencies not specified in manifest files

Gradle

To achieve the fastest and most accurate results, create a file containing the resolved dependency tree named .gradle.debricked.lock before scanning.

This can be accomplished using the High Performance Scans technology in Debricked CLI. If you execute the resolve command, the CLI automatically identifies all manifest files that lack the recommended Gradle lock files and generates them as needed.

You can create the recommended file(s) manually by running the Gradle dependencies command and saving the output in a gradle.debricked.lock file.

gradle dependencies > gradle.debricked.lock

Every gradle.debricked.lock file should be placed in the same directory as its corresponding build.gradle or build.gradle.kts file.

Maven

To achieve the fastest and most accurate results, create a file containing the resolved dependency tree named .maven.debricked.lock before scanning.

This can be accomplished using the High Performance Scans technology in our Debricked CLI. If you execute the resolve command, the CLI automatically identifies all manifest files that lack the recommended maven lock files and generates them as needed.

You can manually generate the recommended file(s) by running the Maven dependency:tree plugin and saving the output to a maven.debricked.lock file.

mvn dependency:tree -DoutputFile=maven.debricked.lock -DoutputType=tgf

Every maven.debricked.lock file should be placed in the same directory as the corresponding pom.xml file.

Bazel

Debricked supports Java projects that utilize Bazel by scanning the WORKSPACE file format along with any Java file formats in use. To ensure fast and accurate scans, Debricked recommends utilizing rules_jvm_external to generate an install.json file, which resolves and pins all indirect dependencies in a lock file.

For more information on setting this up in your project, see Bazel blog.

File fingerprinting

Debricked supports scanning for Java dependencies not defined in manifest-files through file fingerprinting. Our database contains the hashes of .jar and .war files as well as their unpacked contents for all packages in the largest maven repository. This is used when comparing with the contents of your application, to ensure as accurate matches as possible.

For more information on file fingerprinting and how to set it up, see file fingerprinting.

Supported file formats and features

*When building the knowledge base, the files are downloaded, unpacked and fingerprints are created for all file contents, except for certain excluded patterns. The fingerprints are created for the contents of each file. For example, Debricked matches .dll files used in C# and .class files found within .jar files from Java, among others.

PHP - Composer

See a breakdown of the file formats and features supported in PHP.

Debricked currently tracks PHP dependencies installed through Composer dependency manager, using either the composer.json or composer.lock files.

Debricked recommends including the composer.lock file, as it contains resolved versions of both direct and indirect dependencies, leading to more accurate scan results.

The composer.lock file is generated whenever one of the following commands is executed:

composer install

composer required

composer update

If at least one of the supported files is committed to the repository, it will be automatically scanned for dependencies when integrated with Debricked CI/CD pipeline.

Supported file formats and features

*This is a native lock file format. Native lock file formats are the fastest formats to scan.

Go - Go Modules, Go Dep, Bazel

This section provides a breakdown of the file formats and features supported in Go.

Debricked supports tracking Go dependencies through:

Go Modules, using go.mod files
Go Dep, using gopkg.lok files
Bazel, using WORKSPACE files

Go Modules

Debricked supports tracking Go dependencies using the Go Modules dependency management system and its associated go.mod file. To achieve the fastest and most accurate results, it is necessary to create a file containing the resolved dependency tree, .gomod.debricked.lock, before scanning.

This can be done using the High Performance Scans technology in Debricked CLI. If you execute the resolve command, the CLI automatically identifies all manifest files that lack the recommended go.lock files and generates them as needed.

You can manually generate the recommended file(s) by running go mod graph followed by go list -m all, and storing the outputs separated by two new lines between the sections in the gomod.debricked.lock file.

printf "$(go mod graph)\n\n$(go list -mod=readonly -e -m all)" > gomod.debricked.lock

Every gomod.debricked.lock must be put in the same directory as the corresponding go.mod.

Debricked recommends running go mod tidy to clean up unused modules before pushing the go.mod files, ensuring more accurate service results.

Bazel

Debricked supports Go projects that utilize Bazel, scanning the WORKSPACE file format alongside any Go file formats in use. Although Bazel does not have native support for Go, support can be added using Gazelle.

Go Dep

Go Dep and its associated file Gopkg.lock is deprecated and will not get any improvements present in other formats, such as Go Modules.

Supported file formats and features

*This is a native lock file format. Native lock file formats are the fastest formats to scan.

Rust - Cargo

See a breakdown of the file formats and features supported in Rust.

The support for this language is currently in beta. Vulnerability results may be less accurate than normal.

Debricked now tracks Rust dependencies through Cargo, using its associated Cargo.lock files. This file is generated whenever one of the following commands is executed:

cargo build

cargo update

If the file is committed to the repository, it will be automatically scanned for dependencies when integrated with Debricked CI/CD pipeline.

Supported file formats and features

*This is a native lock file format. Native lock file formats are the fastest formats to scan.

Python - Pip, Pipenv

See a breakdown of the file formats and features supported in Python.

Debricked now tracks Python dependencies through:

Pip (using the older requirements.txt files)
Pipenv (using the newer Pipfile.lock files)
file fingerprinting, to find dependencies not defined in manifest-files

Pip

To achieve the fastest and most accurate results, create a file containing the resolved dependency tree before scanning. This can be accomplished using the High Performance Scans technology in Debricked CLI. By executing the resolve command, the CLI automatically identifies all manifest files that lack the recommended lock files and generates them as needed. The first part of the name is based on the name of the file it was generated from. The file naming format is as follows:

<FILE_NAME>.pip.debricked.lock

Example: .requirements.txt.pip.debricked.lock

If at least one of the supported files is committed to the repository, it will be automatically scanned for dependencies when integrated with Debricked CI/CD pipeline.

File fingerprinting

Debricked supports scanning for Python dependencies not defined in manifest files through file fingerprinting. Debricked database contains the hashes of .whl files as well as their unpacked contents (including .py files) for all packages in the Python package index (PyPI). This is used when comparing with the contents of your application, to ensure as accurate matches as possible.

For more information on file fingerprinting and how to set it up, see file fingerprinting.

Supported file formats and features

Pull Requests (PR)

Learn about the types of Pull Requests (PR) Debricked supports and the actions triggered when PRs are generated.

The goal of a Pull Request is to completely remove the CVE from the repository. Note that some dependency versions do not allow a safe version of the currently vulnerable dependency. Therefore, the pull request will only be generated if at least one of the affected direct dependencies has been updated to a safe version.

Debricked currently supports two types of pull requests:

CVE-specific Pull Request

The pull request creation depends on the nature of the dependency relations. If updating the lock file suffices to fix the vulnerable dependency, the pull request will contain the updated lock file. If an update to the direct dependency is required, Debricked will apply the fix to the main dependency file containing the direct dependency versions. Afterwards, Debricked will update the lock file with the new version of the direct dependency and its dependencies.

When you generate a CVE-specific pull request, the following actions are performed to your repository and dependency files:

Generate the dependency updates in the dependency file to fix the CVE.
Make required changes to your dependency files as stated above.
Create a branch in the repository.
Push the remediated dependency files.
Create pull request to original branch.

Repository-specific Pull Request

Repository-specific pull requests are a way of remediating vulnerabilities in bulk, with a single click of a button. Instead of focusing on remediating a specific CVE, Debricked widens the scope to all CVEs that affect a specific repository. Currently, Debricked only supports lockfile-only repository-specific pull requests. They are a quick way of making sure that your dependency files are up-to-date. These pull requests generate your lock file(s) from scratch in an attempt to update indirect dependency versions within given constraints. This will fix the majority of the CVEs in many cases. When generating a repository-specific pull request from the repository view, it will be based on the branch selected in the dropdown provided after clicking the Generate pull request button.

When you generate a repository-specific pull request, the following actions are performed to your repository and dependency files:

Apply required changes to your dependency files as stated above.
Create a branch in the repository.
Push the remediated dependency files.
Create pull request to original branch.

Lockfile-only fix

The lockfile-only fix means that you can regenerate the lockfile in your repository and the vulnerability will be solved. You don't need to update the root dependency - rather you should reinstall the same version (for example: run yarn upgrade and get a new lock.file). This is used when the version constraints set by the root dependency allow for the safe version of the indirect dependency, but it has been a while since you did the install. Then, re-installing it will solve the problem.

Branch selection

The type of pull request being generated determines what the new generated branch will be based on. If you’re generating a bulk fix from the repository view, the branch will be based on the branch selected in the drop-down provided after pressing the Generate pull request button. If you're instead generating a pull request from the page of a specific CVE, the chosen branch will depend on a few factors:

If a default branch containing the CVE is detected in your repository, the pull request branch will be based on it.
If Debricked is unable to detect a default branch, or the CVE exists in a branch other than the default one for that repository, Debricked will first check if the CVE exists in the main or dev branch. If not, the branch which contains the latest commit in the repository is selected.

For more information on how to solve a vulnerability using a PR in the web tool, click the below link:

Data sources

Explore this section to discover the trusted sources of data.

Debricked's algorithms constantly scan various sources for information about vulnerabilities, licenses and health data. These include (but are not limited to: the NVD Database, NPM, C# Announcement, FriendsOfPHP's security advisories, Go Vulnerability Database, PyPA Python Advisory Database, GitHub Issues, GitHub Security Advisory, mailing lists, and more. Debricked checks the sources every 15 minutes, giving fast and accurate data.

Data refinement

When the data is collected, it is cleaned up since it is often quite messy. As the sources are a combination of structured and unstructured data, there are a lot of errors in it by default.

CVE-parsing

The largest source of vulnerability data is the NVD database. The problem with this source is that the CPEs (or products connected to vulnerabilities) are often mislabelled, and it is common to see a time lag of up to four weeks in assigning CPEs to CVEs. Debricked uses natural language processing to re-classify the vulnerabilities and increase the amount of correctly classified vulnerabilities and reduce that time lag to 0 days. This is one of many data-refinement activities that is carried out 24/7 for customers.

Fully automated

What makes Debricked special is that it does not use any form of manual analysis of vulnerabilities. That is a risky bet that took almost 5 years of research and development to pull off. But as a result, as soon a vulnerability is discovered in a data source, it is indexed, refined and a fix is found. All of this can happen within 15-30 minutes. Moreover, Debricked constantly monitors for changes in data regarding this particular vulnerability. In contrast, it takes an average of 30 days for a NVD database to complement their data with more details. Sometimes it is never done if the vulnerability has low priority. The same is true for finding fixes and other details. But with Debricked, you can rest assured that the systems are working around the clock and are not introducing any noticeable lag between the vulnerability sources and your developers. Debricked is here to assist you in building the bricks of security!

Scanning the code for dependencies and matching

In the next step, Debricked scans your projects for dependency files. This can be done in a variety of ways, for example, by CI/CD integrations (recommended), manual uploads, and Debricked APIs.

What does Debricked look for?

Debricked essentially scans for any declared dependencies in files, such as the well-known package-lock.json, composer.json and so on. Next, this dependency file is transformed into Debricked own internal format and is sent to the matching and rule engines. Any indirect dependencies are also built or traversed in this process.

Matching and rule engines

Following are the two pieces of software that:

Match your vendor and name of the dependency to Debricked internal database
Determine the likelihood of this match being correct

It is often the case that open-source projects have similar names, share parts of names, or even have the same names but different vendors. Hence, simple regular expressions, whitelists and blacklists are not enough. Debricked makes use of modern tech, such as machine learning, to determine the likelihood of the match being a true positive or not based on Debricked algorithms. The accuracy of these algorithms varies depending on the language and package manager being used.

A solution to your problems

In most cases, the solution to vulnerabilities in open-source dependencies is to simply update the dependency to a later version that is not vulnerable. Often the update is easy to make, but if the ga between the versions is large enough, an update could cause breaking changes to your code. We help you figure out which version to update to by finding the smallest possible update you can do, which still fixes the vulnerability, helping you fix the problem while keeping the risk of breaking changes as low as possible.

Security terms

A glossary of common security terms used in the Debricked tool.

Here are some of common security terms that are used within the tool:

Common Vulnerability Enumeration (CVE)

This is a vulnerability published in an open database by NVD, with an assigned vulnerability ID known as CVE ID. Examples include Heartbleed (CVE-2014-0160) and Shellshock (CVE-2014-6271).

Common Vulnerability Scoring System (CVSS)

An open framework for describing the severity of vulnerabilities, where each vulnerability is given a score between 0 and 10, with 10 being critical.

Common Weakness Enumeration (CWE)

This is a weakness, either in software or in hardware, that may be exploited in a specific system. The CWE list is a tree hierarchy with different levels of abstraction. An example of a CWE tree chain, from high to low abstraction, may look like:

"Improper Restriction of Operations within the Bounds of a Memory Buffer" (CWE-119) -> "Buffer Copy without Checking Size of Input" (CWE-120) -> "Stack-based Buffer Overflow" (CWE-121).

Common Platform Enumeration (CPE)

This is a naming scheme for IT systems, software, and packages. An example of a CPE string for the React framework, version 16, is:

cpe:2.3:a:facebook:react:16.0.0:*:*:*:*:*:*:*.

Node Package Manager (npm)

A package manager for JavaScript consisting of a command line client npm, along with an online database of packages known as the npm registry. npm handles local dependencies, as well as global JavaScript tools. As of 2023, npm has joined forces with GitHub.

National Vulnerability Database (NVD)

An open database, managed by the U.S. government, for management of vulnerabilities. The information displayed is an aggregation of multiple sources along with a severity scoring using CVSS, the type of vulnerability as a CWE, and affected products as a CPE.

Understanding security vulnerabilities - video series

Have a look at the online course giving you an overview of security vulnerabilities and related topics. In this series, you will learn about:

Different types of security vulnerabilities
How to identify and mitigate them
Common attacks and how to protect your team from it

Whether you are a beginner or an experienced developer or a security professional, this series is designed to help you enhance your knowledge of open-source security and keep your code secure.

Check it out, improve your skills and stay ahead in the fast-changing world of technology.

Security overview

This content was last updated in May 2024, and represents the status quo as of the time it was written.

Download PDF version

Solve vulnerabilities at scale

At Debricked, security is a top priority. The customers trust us with their software dependency data, and Debricked takes this responsibility seriously.

The task of handling data securely is based on trust, and Debricked takes several measures to earn this trust. This includes securing data at rest and in transit, being transparent in how Debricked reads repository information and separating pods.

This document serves to answer and clarify some questions that are received from customers on how and where their data is processed.

Securing data in transit

Debricked reads dependency information from your source code manager and matches the dependencies with our vulnerability, license, and health database. You can view the results in the CI/CD pipeline using the Debricked web application.

All data is transmitted in encrypted form to the database and the web application, using TLS 1.2 or higher, with ciphersuites supporting forward secrecy. When accessing the web application through a browser, HSTS (HTTP Strict Transport Security) with preload is used to ensure that no data is ever transmitted unencrypted. All communication with third-party services is also encrypted.

Data collection

Debricked collects customer data from your source code manager such as GitHub or GitLab. Debrick provides GitHub app with read and write access to the repository. The read access is required for reading metadata and dependency information. The write access is required to create pull requests for fixing vulnerabilities.

Debricked also provides a CLI (Command Line Interface), both standalone and embedded in a Docker image. The Docker image can access the repository as part of the CI/CD. Debricked will not get read permission to your complete repository.

Dependency information is sent to Debricked's servers. This holds for the GitHub app and the CLI used in the CI/CD. With the CLI, source code is never sent to Debricked. For the GitHub app, source code is only sent for package managers where this is required for building the dependency trees. Still, in all such cases, the source code is immediately deleted after the dependency tree is built.

Additionally, Debricked supports file fingerprinting for detection of dependencies. Here, Debricked uploads and saves the name, path, and size of a file, together with a hash of the file content. The files themselves are never uploaded or saved on Debricked servers.

To perform reachability analysis for vulnerabilities, call graph information will be sent to Debricked so that reachability can be visualized and assessed by the customer.

Data storage and processing

Debricked’s service is running on cloud computers hosted by GCP (Google Cloud Platform). All dependency data is stored and processed within the European Union (Netherlands).

The service, including the database, is hosted within a private network on GCP, using VPC peering. The database is not externally accessible and is deployed on two availability zones for added redundancy.

Debricked applies controlled invocation of the functionality through an authenticated API. Cloud infrastructure and direct database access are subject to the least privilege principle and are restricted to only very few employees.

The matching between dependency information and vulnerability, license, health data is performed on Kubernetes pods. When dealing with untrusted processing of dependency information, that is, functions implemented by third-party code (for example, ‘npm install’), such processing is performed in an ephemeral sandbox without multi-tenancy.

This ensures that there is no information leakage between customers as part of the processing.

Debricked also uses third parties to track and process how customers use the service. This allows Debricked to understand and optimize the service for improved customer experience. An effort is taken to anonymize possibly sensitive information. Debricked never sells any data to a third party.

Data access

From the customer’s perspective, password credentials are protected in several ways. Proactive password checking reduces the possibility of choosing weak passwords, and rate limits protect against brute-force attacks. Debricked also supports single sign-on login through GitHub and identity providers supporting the OpenID Connect protocol.

Account access in the web application supports two-factor authentication. Both email authentication and TOTP (Time-based one-time password) authentication with Google authenticator are supported.

Access is also granted through the CLI or directly through an API. Such access requires a JWT token. A long-lived refresh token with 20 years of validity can be generated and revoked in the web application or through the API using the account password. The refresh token can then be used to generate a JWT token that has about 1-hour validity.

Compliance

With many EU-based customers, Debricked aligns with the GDPR (General Data Protection Regulation) requirements. Here, transparency is key, and the Privacy Policy intends to convey all necessary information for customers to understand how Debricked treats PII (Personally Identifiable Information).

Debricked is part of OpenText Cybersecurity. The Debricked application has been certified as conforming to the ISO/IEC 27001:2013 requirements. Debricked continuously documents, updates, and assesses the internal security according to the requirements.

Debricked also has a SOC 2 report showing the compliance with the AICPA Trust Services Criteria.

Vulnerability testing and reporting

To encourage and enable third-party vulnerability reports, Debricked performs penetration tests, both in-house and by third parties, to reveal possible weaknesses in the web service and its implementation.

Debricked’s security testing also includes regular SAST and DAST scanning with professional third-party tools.

Lastly, Debricked uses Software Composition Analysis (SCA), its own Debricked SaaS application.

About Debricked

Debricked is redefining the way developers select, evaluate, use and contribute to open source software. Debricked SCA and Select makes open source security, compliance and health simple, and helps companies use more open source in an efficient manner. Since 2022, Debricked is a part of OpenText.

See your data

Learn how to find detailed information about your projects.

In order to efficiently work with vulnerabilities in your repositories, you need an overview of all repositories you have along with the vulnerabilities affecting them. Debricked provides you with an overview of all your projects and their security status.

See all your repositories

To get an overview of all your repositories, click Repositories in the left side menu.

In this view, all your repositories are shown, by default sorted by the amount of vulnerabilities, along with the data:

Name: The name of the repository prepended with the name of the owner.
Total indirect dependencies: The number of indirect dependencies that were imported by the dependency.
Total vulnerabilities: The total number of vulnerabilities found (including indirect dependencies).
Vulnerability priority: The total number of vulnerabilities where the CVSS score is critical or high.
Review status: The total number of vulnerabilities, where the review status is set to vulnerable, unexamined, paused/snoozed, and unaffected.
Total vulnerabilities with exploits: The total amount of vulnerabilities that have at least one known exploit.

See vulnerabilities in a specific repository

To show all vulnerabilities in a specific repository, click the repository name. This displays a view specific for that repository.

In this view, you get detailed information regarding the vulnerabilities discovered in your repository:

Name: The vulnerability name, which is usually a CVE identifier.
Discovered: The date at which the vulnerability was discovered in your code or repository.
CVSS: The CVSS score for this vulnerability.
Dependencies: The dependency in which the vulnerability was discovered.
Review status: Indicates whether the vulnerability is known to be vulnerable, unaffected, or unexamined.
Reachable Path: Displays if the vulnerable functionality is reachable or not through your code. This field is conditionally displayed based on whether Reachability Analysis was run or not.
Exploited (CISA): Determines whether the vulnerability is exploited or not, based on the CISA KEV catalog.

To see all commits related to this repository, or all related dependencies, click one of the tabs.

See information about a specific vulnerability

To get detailed information about a specific vulnerability in a repository, click the vulnerability ID. This view contains links to advisories, such as NVD and GitHub along with a summary of the severity.

The summary contains the following information about the vulnerability:

File(s) in which the vulnerability was found and the dependencies that introduced vulnerabilities.
Versions of vulnerable dependencies, and suggested safer alternative versions that can be used wherever possible.
Breakdown of the CVSS scores

You will also get a list of external references that contain information about remediations, patches, real-world exploits, as well as documentation from issue trackers.

See all vulnerabilities across all projects

To get an overview of all vulnerabilities found in all scanned repositories, click Vulnerabilities in the left side menu.

This view is similar to the view for a specific repository, but here all vulnerabilities found in all your repositories are included.

See all your dependencies

To get an overview of all imported dependencies, including indirect dependencies, click Dependencies in the left side menu.

In this view, you are presented with a list of all dependencies found in all scanned repositories. It includes details such as:

Name: The name of the dependency.
Total indirect dependencies: The number of indirect dependencies that were imported by the dependency.
Total vulnerabilities: The total number of vulnerabilities found (including indirect dependencies).
Vulnerability priority: The total number of vulnerabilities where the CVSS score is critical or high.
Review status: The total number of vulnerabilities, where the review status is set to vulnerable, unexamined, paused/snoozed, and unaffected.
Licenses: The license under which the dependency is released.
Health Scores: The Popularity score and the Contributor score of this dependency.

Symbols

The column Name contains additional symbols providing you with more information:

? - This is used for dependencies for which we were not able to parse the dependency tree (see Language Suppor t).
▼ - This is used for direct dependencies which include indirect dependencies (see section below).
dependency symbol - This is used for indirect dependencies which are related to the main dependencies.
no symbol - This is used for direct dependencies that do not include any indirect dependencies.

Direct or indirect dependencies

use the ▼ button next to the name of the direct dependency to see its indirect dependencies. The indirect dependencies are marked with an icon in the Name column to make it easier for you to differentiate them. To expand all direct dependencies in the current page, click the Expand all/Collapse all toggle button at the top.

Search for dependencies

You can type the name of a package in the Search bar, to search for a specific dependency (direct or indirect), or the name of a license to see all the dependencies related to one license.

Solve vulnerabilities using Pull Requests (PR)

Debricked offers several solutions to tackle open-source vulnerabilities. Learn how to do it using Pull Requests (PR).

Assume there is repository with huge number of vulnerabilities. It will take time to go through each one of them and potentially fix them. Debricked offers the ability to open a pull request to solve many vulnerabilities at once.

Support for Pull Requests

Currently, Debricked only supports pull requests for certain package managers and integrations using the GitHub app, GitLab or Azure DevOps. For information regarding the support of your package manager, see the language support page.

Solve multiple vulnerabilities using a Pull Request

Following are the steps for to solve multiple vulnerabilities:

In a repository, click Generate pull request to let the tool update your dependencies, solve vulnerabilities, and create a pull request.
Click View generated fix to view the pull request.
When the pull request is merged, you will notice a decrease in the number of vulnerabilities.

Set a commit message

Once you click the Pull Request button, a new modal is displayed where it is possible to set your own commit message. If you choose not to provide a message, by default the message will be "Fix CVE-XXX" or "Bulk fix vulnerabilities", depending on the type of Pull Request that is created.

Solve a single vulnerability using a Pull Request

It is possible to solve a specific vulnerability in a repository using pull requests, instead of multiple CVEs at once as in the example above.

Following are the steps to solve a specific vulnerability:

In a repository, click the specific vulnerability you wish to remediate.
In the CVE view, click the Open pull request button. You can see the vulnerable version(s) and the proposed change.
Click Confirm to execute the changes.

If a pull-request is made, creating a new branch, this branch can be viewed in the web tool. If the pull-request is rejected and the branch is deleted, the branch can still be viewed in the UX. This is the case even after a re-scan of the repo, since the branch is still in the database. This data will be pruned only after 30 days.

Solve vulnerabilities using Pull Requests (PR) via API

Learn how to use Pull Requests (PR) via the API.

Assume there is a repository with huge number of vulnerabilities. It will take time to go through each one of them and potentially fix them. Debricked offers the ability to open a pull request where it tries to solve many vulnerabilities at once.

Endpoints

/api/{version}/open/repository/{repositoryId}/pull-request/branch/{branchId}/{notify}/{includeUnaffected}

/api/{version}/open/repository/{repositoryId}/get-branches

Debricked can generate a new bulk pull request for the repository, with ID 15707 in this case (shown in the URL). The branch ID is found using the get-branches endpoint.

Example:

First, Debricked gets the branch ID

curl -X 'GET' \  'https://debricked.com/api/1.0/open/repository/15707/get-branches' \  -H 'accept: */*' \  -H 'Authorization: Bearer <token>

then, a new pull request is created on branch ID 2, enabling notification, not including unaffected dependencies in the PR.

curl -X 'GET' \  'https://debricked.com/api/1.0/open/repository/15707/pull-request/branch/2/1/0' \  -H 'accept: */*' \  -H 'Authorization: Bearer <token>

Snooze or pause a review status

Learn how to snooze or pause a vulnerability you’ve been notified about.

You can flag a vulnerability as snoozed for a set amount of time. By doing so, the specific vulnerability will not be triggered in any automation rules for the specific repository. After the chosen snooze duration expires, your automation rules will again take the before snoozed vulnerability into account and respective actions will be triggered again.

This could result in unnoticed security issues because the vulnerability will not show up in your existing automations. Therefore, use this feature only if you need to and are aware of the consequences.

Snooze a vulnerability for a set amount of time

To snooze a vulnerability:

Go to the vulnerability page.
Click Pause rule triggering in the Action section.

Select Snooze for a set time period in the newly opened dialog and select your desired snooze period.

Click Save to confirm your selection and snooze the automation rules for the vulnerability.

You can see the activated snooze being shown as review status under Action. Snoozing the vulnerability is also reflected in the Activity section at the bottom of the page.

Note: Setting the vulnerability to "snoozed" is only available on a per-repository basis. If you want to snooze the same vulnerability for another repository, you should repeat the same steps for that one.

Though any user is able to choose "snoozed" as review status by default, as an admin, you can disable this feature for all users in your company.

Manually remove a snooze from a vulnerability

You can manually stop snoozing a vulnerability at any time before it resumes automatically:

Go to the vulnerability you want to resume.
Click Snoozed for (time) and confirm that you want to stop snoozing the vulnerability in the displayed dialog. Note that this will enable automation rules to be triggered for this vulnerability again.

Pause review status

You can flag a vulnerability as paused in a specific repository. The vulnerability will stay paused until a fix is found, if applied, resolves the vulnerability in your repository. In that case, the paused status will be removed automatically, and the vulnerability resumes to being unexamined.

Keep in mind that the pause could potentially be indefinite when a fix is never found. It is recommended to choose a maximum pause time when setting this review status. If the pause duration expires before the fix is found, your automation rules will resume taking the vulnerability into account. This is similarl to how snoozing a vulnerability works.

Pause a vulnerability until a fix is available

To pause a vulnerability until a fix is available:

Go to the desired repository and vulnerability to pause.
Select Pause rule triggering in the Action section.
Select Pause until a fix is available in the opening dialog and choose an appropriate max pause time.
Click Save to confirm your selection and pause automation rules for the vulnerability.

You can see the activated pause being shown as review status under Action. Pausing the vulnerability is also reflected in the Activity section at the bottom of the page.

Note that setting the vulnerability to "paused until a fix" is available does so only for the specific repository. If you want to pause the same vulnerability for another repository, you will have to repeat the same steps for that one.

Manually remove a pause until a fix is available from a vulnerability

You can manually stop pausing a vulnerability at any time before a fix is found or the max pause time has expired.

To manually remove a pause:

Go to the vulnerability you want to resume.
Click Paused until fix and confirm that you want to stop pausing the vulnerability in the displayed dialog. Be aware that this will enable automation rules to be triggered for this vulnerability again.

Reachability Analysis

Here's everything you need to know about Debricked’s Reachability Analysis.

Debricked currently supports the Reachability Analysis feature for Java and Go.

Debricked's Reachability Analysis helps you automatically determine if a vulnerability in a library affects your project. It analyzes which parts of the library are vulnerable and checks if your code uses those parts. To do this, Debricked needs to understand how your open source dependencies are used. This information is collected by using Debricked's CLI tool to generate a call graph for your project. For instructions on creating the required call graph, see how to Set up Reachability Analysis for Java.

How does Debricked know the vulnerable parts of libraries?

Debricked identifies vulnerable parts of libraries through the following steps:

Fetch the relevant versions: Retrieve the latest vulnerable version and the first fixed version from Debricked's database.
Pinpoint the smallest change: Use information from various sources to narrow down to two specific versions — one that is vulnerable and one that is fixed. These versions can be released versions, Git tags, Git commits, or similar.
Analyze code differences: Download the code for these two versions, identify the changes between them, and translate these changes into functions, classes, and other code symbols. Store this information in Debricked's database.
Identify vulnerable symbols: This process reveals which parts of the library are affected by a given vulnerability. These affected parts are known as vulnerable symbols for that vulnerability.

Am I using vulnerable parts?

To perform the analysis, Debricked needs to know which parts of a library are vulnerable and whether your code uses those parts. This is determined by generating a call graph for your program and its libraries. The call graph is then uploaded along with your dependency files and scanned for the vulnerable symbols identified in the previous step.

If vulnerable symbols are found: This indicates that your code uses the parts of the library affected by the vulnerability, meaning your project is likely at risk.
If vulnerable symbols are not found: This suggests that your code probably does not use the vulnerable parts and is less likely to be affected.

Important: Call graphs do not have perfect recall or accuracy. They might include calls that cannot actually occur or miss calls that can. Therefore, even if Debricked reports that you are not using the vulnerable function, you should still upgrade the dependency—though it might not need to be your highest priority.

Examples

For projects using Netty versions between 4.1.0 and 4.1.43, Debricked's public vulnerability database identifies the following vulnerabilities:

CVE-2019-20444
CVE-2019-20445
CVE-2020-11612

However, not all of these vulnerabilities may affect your project:

CVE-2019-20444 and CVE-2019-20445 impact the web server component of Netty.
CVE-2020-11612 affects decompression functionality.

If your project does not use Netty for decompression, CVE-2020-11612 will not pose a risk. In this case, upgrading to version 4.1.44 instead of 4.1.46 might be sufficient. Similarly, if your project does not use the web server part of Netty, an upgrade might not be necessary at all, saving significant time and resources. However, it is still recommended to upgrade to a safe version, even if the priority may be lower when vulnerable symbols are not in use. Normally, determining this would require manual investigation, involving a deep understanding of both your project and Netty, as well as reviewing CVE specifications to find which parts of Netty are affected. With Debricked's Reachability Analysis, this process is fully automated.

Different statuses of Debricked Reachability Analysis

In the tool, a vulnerability can have one of the following Reachability Analysis statuses:

Found: The vulnerable functionality was detected as reachable through your code.
Not Found: The vulnerable functionality was not detected as reachable through your code.

Note: As mentioned earlier, call graphs do not have perfect recall or accuracy. It is still recommended to upgrade the dependency eventually, even if this status is shown.

Missing data: There is not enough information available to determine if the vulnerable functionality is reachable.
Unknown: The analysis was not run for this commit and vulnerability.

Set up Reachability Analysis for Go

Learn how to set up Reachability Analysis for Go.

Reachability Analysis is supported for all Go projects. You need the compiled code and the libraries used by your Go project to enable Reachability Analysis.

You need to generate a call graph to enable Reachability Analysis for Go. To generate a call graph, add the Debricked CLI callgraph command to your integration before running a Debricked scan. To find out more about the command and the various available flags, run:

debricked callgraph -h

The success of CLI call graph generation depends on the complexity of the application being analyzed. If an application contains a language feature that is not supported by the algorithm, the callgraph command fails and you cannot set up Reachability Analysis for that application.

When successful, the callgraph command generates a debricked-call-graph file. This file is automatically sent to Debricked with the dependency files for analysis, when running the debricked scan command.

Set up call graph generation in your pipeline

For many projects, running the callgraph command with the default configuration might be enough to run the preparation steps. In this case, before running the debricked scan, to add the command to run debricked callgraph in your configuration to ensure that the scan has access to the generated call graph file.

For GitHub Action integrations, Debricked must also add Actions setup that can be found in the GitHub Actions repository.

Example: Building the project during the callgraph command

In this example, the callgraph command is run with default configuration to build the project and prepare the necessary files automatically before generating the call graph.

# GitLab CI/CD template

image: debricked/cli:2-resolution-debian

stages:
  - scan
debricked:
  stage: scan
  script:
    - debricked callgraph
    - debricked scan

Set up Reachability Analysis for Java

Learn how to set up Reachability Analysis for Java.

Reachability Analysis is supported for all Java projects using Maven. To produce a callgraph, Debricked requires the compiled code for your project and access to the libraries it uses. By default, the command will attempt to do all the preparation work for the command to be successful. The success of the preparation depends on the specific project structure and configurations. In the event of failure, it is possible to configure the command not to run the preparation steps using the --no-build flag, and instead set it up separately before running the command.

Set up call graph generation in your pipeline

If the build step of the callgraph command fails, or if you are already building the project in a previous stage of the pipeline, it’s highly recommended to build the project separately before running the callgraph command with the —no-build flag. Just make sure that the files resulting from the build are included in the stage where call graph generation is run.

The examples below use a Debricked CLI docker image to ensure that there is a compatible maven version included for the commands to succeed. Debricked recommendation is that you incorporate the scan and callgraph commands in your build image/steps whenever possible, to ensure that versions of the underlying tools correlate with your environment.

Example: Building the project during the callgraph command

In this example, the callgraph command is run with its default configuration, which builds the project and prepares the necessary files automatically before generating the call graph.

Example: Using a separate build step

The example below is using maven to build the project and generate the files needed for call graph generation. The generated files must be reachable in the stage where the callgraph command is run, so that it has all pre-requisites to be run successfully.

Common issues

Multiple issues can occur when trying to generate the callgraph which prohibits success. Some common issues are:

Unsupported Java version. If your project requires a Java version older than 11, Debricked may not be able to produce a callgraph. Debricked may also not be able to generate a callgraph if your project uses new lanugage features from a version above 21.
Unsupported language features. Some advanced language features can make callgraph generation impossible for the tool that is used to generate the callgraphs.

# GitLab CI/CD template

image: debricked/cli:2-resolution-debian

stages:
    - build_project
    - scan

scan_preparation:
  stage: build_project

  script:
    # Build project based on the root pom.xml. If no root pom.xml is found, all pom.xml files will be built individually.
    - mvn package -q -DskipTests -e

  # Save class files from the target/ folder for use in the next stage.
  artifacts:
    expire_in: 1 day
    paths:
      - target/

debricked-scan:
  stage: scan

  script:
    - debricked callgraph --no-build
    - debricked scan

Licence families

Understand how Debricked defines different open-source license families.

At Debricked, we group licenses into different license families, applicable to different use cases. They are shown in one of the columns in the License view and can be used in your customized automation rules. Here’s how we categorize them:

Adaptive

The Adaptive Public License, or APL (APL-1.0), is a weak copyleft that is adaptable. The project owner may set up license conditions by choosing specific options from a template. Such options include patent rights, limited attribution, and to what extent changes need to be documented.

Non-copyleft

Software with a non-copyleft license is permitted to be included in products that are distributed under another license, including proprietary ones. Common non-copyleft licenses include BSD Licenses such as BSD 2-Clause "Simplified" License (BSD-2-Clause), and MIT License (MIT).

Non-free

A non-free license, or proprietary license, allows the owner to restrict the use, modification, and redistribution of the software.

Permissive

A permissive software license, also known as BSD-style license, is a "free software" license that, compared to copyleft, only has minimal restrictions on how to use, modify and redistribute the software. The best-known permissive licenses are BSD Licenses, Apache Licenses, such as Apache License 2.0 (Apache-2.0), and MIT License.

Strong copyleft

In the family of strong copyleft licenses, regulations can be imposed on all derived works, meaning that the original creator of the works has the most rights. One of the best-known strong copyleft licenses is the GNU General Public Licenses, such as GNU General Public License v3.0 only (GPL-3.0-only). Strong copyleft licenses are also applicable to art, music, sports, photography, and video.

Weak copyleft

Weak copyleft licenses refer to licenses where not all derived work inherits the copyleft license. Instead, it depends on how the work was derived. Weak copyleft licenses are mostly used for software libraries by allowing links to other libraries. Known examples of these are the Mozilla Public License 2.0 (MPL-2.0), and GNU Lesser General Public License v3.0 only (LGPL-3.0-only). The best-known products with weak copyright are Mozilla and OpenOffice.org.

Public domain

Software placed in the public domain is free from all obligations. That is, there is no copyright, trademark, or patent. The software may be distributed, modified, or sold without any attribution.

License risk management

Master the art of managing open source licenses with Debricked.

When working with open source, it is crucial to ensure and maintain open-source compliance, also from a commercial perspective. To help with that, Debricked provides you with a comprehensive overview of all licenses in the repositories you have integrated with us. You can find that information in different areas of the tool.

View all licenses

To view licenses, click License tab on the left side menu. Here, you can view the list of all your licenses in alphabetical order. The screen displays the following information:

Name: The name of license.
License Risk - The grade of potential compliance risks involved with the specific license, assessed based on the use case chosen for the repository.
Dependencies - The number of dependencies affected by the license.
License family - The family to which the license belongs.

View all repositories affected by license

To view all repositories affected by license, follow these steps:

Click License tab on the left side menu. Here, you can view the with a list of all your licenses in alphabetical order.
Click a specific license to view all repositories with that specific license. Here, you can also view the risk associated with the license within all affected repositories, as well as how many dependencies per repository are affected.
After you click a specific repository, the above-mentioned information can also be found in the Licences tab.

License review or override

This feature is only available for Enterprise users.

As a Repository or Company Admin (Enterprise), you can review and manually override the license found by Debricked on a dependency level.

To do so:

From a repository page, go to the License tab. Here you can view the list of all licenses detected in the repository.

Click Review. Here, you can find a list of all licenses detected and can override the data.

Depending on your needs, you can:

Delete the license by clicking the trashcan icon.
Change the detected license, by clicking Change license and selecting a new one from the dropdown menu
Add license(s) by clicking the + button for multi-licensing.

Set up a use case using API

Learn how to set up a use case for your repositories using the API.

The first time you visit the License view; you willl notice that the value in the risk column is set to Unknown for all licenses. This is because you have not yet configured any use cases for your repositories. You can select a use case through the API using the endpoint:

/api/{version}/open/repository-settings/repositories/{repositoryId}/select-use-case

To do so, send a JSON containing a choice of the use case, for example:

"useCase": 2

Here, the useCase can be one of the following integers:

0/null - Unknown
1 - Non-distributed internal
2 - Non-distributed public
3 - Distributed generic
4 - Distributed electronics

Here’s an example showing you how to set the use case to “Non-distributed public” for a repository with ID = 1337:

curl -X 'POST' \  'https://debricked.com/api/1.0/open/repository-settings/repositories/1337/select-use-case' \  -H 'accept: */*' \  -H 'Authorization: Bearer <token> \  -H 'Content-Type: application/json' \  -d '{ "useCase": 2 }'

Proxy non-standard license identifiers

Learn how Debricked deals with non-standard and deprecated licenses.

To ensure license compliance, we proxy non-standard license identifiers and references to SPDX identifiers and map deprecated license identifiers as accurately as possible. Below is a list of common deprecated licenses and how we proxy them:

Full Name

Deprecated License

Proxy to

GNU General Public License v1.0 only

GPL-1.0

GPL-1.0-only

GNU General Public License v1.0 or later

GPL-1.0+

GPL-1.0-or-later

GNU General Public License v2.0 only

GPL-2.0

GPL-2.0-only

GNU General Public License v2.0 or later

GPL-2.0+ GPL 2.0+ GPL 2.0 GPL 2.0 or later GPL2 GPL2+ GPL2.0 GPL v2.0 License GPL v2.0 license. GPL version 2+ GPL+2 GPL2 License GPL2 or later GPL2.0 GPL2.0 License GPL2.0+ GPLv2 gplv2 GPL GNU v2 GPL General Public Licence v2 and later GPL (optional either v2 or any later version) GPL Lv2

GPL-2.0-or-later

GNU General Public License v3.0 only

GPL-3.0 GPL-3-0-only GPL-3.0-only” GPL-3.0 (only)

GPL-3.0-only

GNU General Public License v3.0 or later

GPL-3.0+ GPL 3.0 GPL 3.0 or later GPL-3-0-or-later GPLv03 GPL (ver 3) GPL-30 GPL-30.0 License GPL3 GPL3+ GPLv3.0 GPLv 3.0 GPLv-3 GPLv.3 GPLv03 gpl_V3 gpl v3 GPL GNUv3 GPL GNU-3.0 GPL GNU v3 GPL GNU 3.0 GPL Lv.3 GPL Lv3 GPL3v3 GPLb3+ GPLv3A

GPL-3.0-or-later

GNU Library General Public License v2 only

LGPL-2.0

LGPL-2.0-only

GNU Library General Public License v2 or later

LGPL-2.0+ LGPL 2.0 LGPL 2.0 license LGPL V.2 LGPL Version 2.0

LGPL-2.0-or-later

GNU Lesser General Public License v2.1 only

LGPL-2.1

LGPL-2.1-only

GNU Lesser General Public License v2.1 or later

LGPL-2.1+ LGPL 2.1 or later LGPL, version 2.1 LGPL v 2.1 LGPL v. 2.1 LGPL v 2.1+ LGPL ver 2.1 LGPL version 2.1 LGPL version 2.1 or later LGPL version 2.1, or (at your option) any later version

LGPL-2.1-or-later

GNU Lesser General Public License v3.0 only

LGPL-3.0

LGPL-3.0-only

GNU Lesser General Public License v3.0 or later

LGPL-3.0+ LGPL v3+ LGPL 3.0 or later LGPL Licence Version 3 LGPL-v3+ LGPLv3a

LGPL-3.0-or-later

If you have any further questions or need additional assistance, please refer to the SPDX documentation or contact us.

Popularity

See how we define the Popularity metric in Project Health.

The popularity of a repository is another crucial indicator of the health of a project. It signifies interest from both developers and users alike, pointing towards viability and continued development. Between each layer, there are weights that determine the impact of any given feature on a practice, and of any given practice on the metric. You can find the data model illustrated below:

Usage

This practice describes the usage of a repository among open-source users. The following features of Usage are measured:

Total Downloads - The total number of times a repository has been downloaded through its respective package manager.
Total Forks - The total number of times a repository has been forked.

Developer popularity

This practice describes how popular the repository is among the developers. More popular repositories attract more and more skilled developers to contribute.

The following features of Developer Popularity are measured:

Total Stargazers - The total number the repository has been “starred” in GitHub.
Total Watchers - The total number of users watching this repository in GitHub. Watchers are notified about activity on the chosen repository.
Contributor Influence - How much attention the contributors attract to the repository.
Contributor Trend - The change in contributors, averaged over 10 weeks.

Community activity

This practice describes how active the community of a repository is. In this case, “community” entails both contributors and users. The activity is measured with features that analyze the current volume of commits, issues, and pull requests, as well as the trend of said volume.

The following features of Community Activity are measured:

Recent Commits - How many new commits have been made to the master branch within the last 10 weeks.
Commits Trend - The linear change in commits per week for the past 21 weeks (whether it is increasing or decreasing).
Recent Issues - How many new issues have been posted within the last 10 weeks.
Issues Trend - The linear change in posted issues per week for the past 21 weeks (whether it is increasing or decreasing).
Recent Pull Requests - How many new pull requests have been made within the last 10 weeks.
Pull Requests Trend - The linear change in pull requests per week for the past 21 weeks (whether it is increasing or decreasing).
Recently Closed Issues - How many issues have been closed within the past 10 weeks.
Closed Issues Trend - The linear change in closed issues per week for the past 21 weeks (whether it is increasing or decreasing).

Ecosystem buzz

This practice describes the buzz of a particular open-source project in different parts of the ecosystem. A higher buzz implies better support from platforms such as StackOverflow.

The following feature of Ecosystem Buzz is measured:

Total Discussions on Stackoverflow - The total number of search hits a repository/package has on Stackoverflow.

Security

See how we define the Security metric in Project Health.

The security of a repository is crucial in many aspects of open source, as the security of a project determines the security of your product. This metric measures both indicators of vulnerability entry risk, and past vulnerability response performance. Between each layer, there are weights that determine the impact of any given feature on a practice, and of any given practice on the metric. You can find the data model illustrated below:

Vulnerability response

This practice describes how fast vulnerabilities are being handled in a repository. A high score means that maintainers and contributors solve vulnerability risks in a timely manner.

The following features of Vulnerability Response are measured:

Vulnerability Disclosure to Patch - The median number of days it takes for a vulnerability disclosed by a CNA to be patched from its disclosure. This can be inverted if the patch was released before the disclosure date.
Vulnerability Entry to Disclosure - The number of days it takes for a vulnerability disclosed by a CNA to be discovered from when the vulnerable code was committed.
Security Activity over Time - The security activity in a project per month for the past year (whether it is a stable activity or comes in bursts).
Dead Issue Rate - The rate of stale or dead issues, defined as having been open for 52 weeks without being closed.
Maintainer Responsiveness - Indicates whether maintainers (contributors with merge rights) are responding to issues in the project. If they’re not responding to any recent issues, it may indicate that the project is going “stale”.

Vulnerability risk

This practice looks into the nature of reported vulnerabilities in the project. The following features of Vulnerability Risk are measured:

Commits per Vulnerability - How frequently vulnerabilities are reported in relation to the project's size in commits. A higher number means vulnerabilities are less frequent.
Vulnerability Severity - How serious the reported vulnerabilities are.
CWE Diversity - The types of vulnerabilities being reported. Multiple vulnerabilities of the same type may indicate that the project's contributors are not learning from previous mistakes.

Coding best practices

This practice describes how well the project contributors adhere to best practices that boost code quality, which correlates with the risk of exposure to vulnerabilities.

The following features of Coding Best Practices are measured:

Review Comments per Pull-request - The average number of review comments a pull request has, indicating how much feedback is provided by the reviewers.
Reviewers per Pull-request - The average number of reviewers per pull request before merge.
Pull-request Size - The average pull request size, measured in lines of code changed in the pull requests submitted during the past 52 weeks.
Seniority of Reviewers - How experienced the reviewers of pull requests are. Seniority is calculated as the average number of pull requests that a reviewer has on GitHub.

Bug reporting

This practice describes the rate of bug reports in the project. The following features of Bug Reporting are measured:

Issue Bug Saturation - The percentage of issues that are bug reports.
Commits per Bug - The frequency of bug issues per commit made.

Contributors

See how we define the Contributors metric in Project Health.

Open-Source projects are affected by contributors. Theyhave the power to make a project thrive or die. When deciding what open source project to bring into your software, it is important to inspect and analyze its contributors.

Between each layer, there are weights that determine the impact of any given feature on a practice, and of any given practice on the metric. You can find the data model illustrated below:

Contributor experience

This practice describes the contributor's experience in a specific repository. Experienced contributors tend to write more efficient, more secure, and usable code, and are therefore preferred.

The following features of Contributor Experience are measured:

Contributor Influence - How much attention the contributors attract to the repository.
External Pull Requests Merged per Developer - The average number of pull requests merged in other projects.

Contributor efficiency

This practice describes the contributor efficiency in a specific repository. It is measured by looking at the rate at which the contributors code, merge pull requests, and close issues.

The following features of Contributor Efficiency are measured:

Closed Issues per Developer - The average number of issues closed per developer in the past 52 weeks.
Pull Requests Merged per Developer -The average number of pull requests merged per developer in the past 52 weeks.
Developer Velocity - The average coding speed of the developers. It is calculated as lines of code merged/closed per week, averaged over the past 10 weeks.

Contributor diversity

This practice describes the diversity in the contributing community for a specific repository. It is measured by looking at the rate of new contributors, the rate of contribution per contributor, the total number of contributors, and the contributor trend.

The following features of Contributor Diversity are measured:

Total Contributors - The total number of contributors.
Contributor Trend - The change in contributors, averaged over 10 weeks.
New Contributors - How many new contributors (with their first merged pull request within the past year) a repository has.
Developers per Commit - How many developers there are per commit.
Contribution Skew - The contribution skewness in terms of how many pull requests were contributed by one-time contributors, or a few very active contributors. The raw score is non-linear and varies between 0.5 and 1.0, where values > 0.8 mean contributions are distributed on many contributors, and scores < 0.6 mean that very few contributors developed most of the project.

Contributor activity

This practice describes how active the contributors of a repository are. It is measured with features that analyze the current volume of commits, closed issues, pull requests, and the trend of said volume.

The following features of Contributor Activity are measured:

Recent Commits - How many new commits have been made to the master branch within the last 10 weeks.
Commits Trend - The linear change in commits per week for the past 21 weeks (whether it is increasing or decreasing).
Recent Pull Requests - How many new pull requests have been made within the last 10 weeks.
Pull Requests Trend - The linear change in pull requests per week for the past 21 weeks (whether it is increasing or decreasing).
Recently Closed Issues -How many issues have been closed within the past 10 weeks.
Closed Issues Trend - The linear change in closed issues per week for the past 21 weeks (whether it is increasing or decreasing).

Core team commitment

This practice describes how committed the core team is to the project. The following features of Core Team Commitment are measured:

Recent Core Team Commits - How many new commits the core team has contributed to the master branch within the past 10 weeks.
Core Team Commits Trend - The linear trend of the number of commits the core team has made to the master branch in the last 21 weeks.
Core Team Issue Closing - How many issues the core team has closed in the past 10 weeks.
Recent Merges - How many pull requests have been merged in the past 10 weeks.
Merges Trend - The linear change in merged pull requests per week for the past 21 weeks, that is, whether it is increasing or decreasing.
Company Involvement - The highest ratio of commits from the same company in the past period of 21 weeks.

Contributor longevity

This practice describes the longevity of the contributors. If the developers are contributing long-term, then it might be a sign that the project has been proven valuable.

The following features of Contributor Longevity are measured:

Developer Lifetime - The average time a developer contributes regularly to the repository.
Loyal Developer Commits - The number of commits made by long-term (loyal) developers.

Search projects

Learn how to search for an open source project using Debricked’s Open Source Select.

How do i search?

With Open Source Select, you can search for packages, projects or functionalities and get all relevant information presented in one place. You can further refine your search using filters.

When searching, use a few good keywords describing what you're looking for. For example, try searching for “frontend graphs” if you're looking for a project to help you create nice-looking visualizations, or search for “message broker” if you're looking for data streaming projects.

Search on project names

Enter the name of the project you wish to know more about and hit enter. A list of projects matching the search string fully or partially will be shown.

Search on project functionality

As a developer you often know the problem you want to solve, but not necessarily all projects that exist to address that problem. Searching for the functionality that you're after helps you discover these projects.

Search for repositories

Open Source Select isn't limited to packages, it is also possible to search for repositories using the repository_owner/repository_name format. Keep in mind that the results from this query can be both dependencies that are repository-only, and dependencies that have a package and hold their code in the searched repository.

Search using pURL standard

It is also possible to search for dependencies using the common pURL format:

The type section of the pURL corresponds to the package manager used by the dependency or the version control system used (in case of repository-only dependencies).

The namespace is used mainly for repository-only dependencies, corresponding to the repository owner.

The name section corresponds to the package or repository’s name.

The pURL standard is also supported directly in the url: https://debricked.com/en/select/package/{purl}

Here are some examples of pURL searches and their corresponding results:

pkg:pypi/tensorflow → Tensorflow

pkg:npm/react → React

pkg:github/debricked/debricked-cli → Debricked-cli

Refine your search using filters

The most powerful way to search the Select database is by combining project name or project functionality searches with filters narrowing down the results to your preferences.

You can filter by:

programming language
package manager
excluded licenses

Choose open source components with Debricked's open source select and start left - video guide

Create an automation rule

Learn how to create an automation rule for your repositories.

Go to Automations on the left side menu (You can also access automations for a specific repository by clicking the Automate button on the top right corner).
Click the +New button, then +New rule.
Select the repository(s) you want the rule to be applied to.
Build your if-statement:
1. Choose criteria for the rule to trigger. For example, CVSS is at least high (7.0-8.9). Click AND or OR to add a new criterion. You can select multiple criteria connected by the operators. See below for more information.
2. Choose an action to be executed when the condition is true. For example, fail pipeline. See below for more information.
If you do not want the rule to apply for vulnerabilities that have been marked as unaffected by you or someone on your team, leave the pre-filled checkbox in the bottom right checked.
Click Generate rule and review any warnings (if applicable). Make sure that the statement corresponds to what you were looking to achieve with your rule.
Click Save.

Rule conditions

Rules can incorporate multiple OR and AND operators. When working with multiple criteria and operators, the following precedents are applied:

AND conditions inherit previous IF or OR conditions
OR conditions do not inherit the previous IF or OR condition

Rule actions

You can select one of the following actions to be performed once a rule is triggered:

Fail pipeline - If the rule conditions are met, your pipeline fails.
Pipeline warning:
- GitHub - If the rule conditions are met, your pipeline passes, the pipeline check is set to neutral, and a warning is printed.
- GitLab, Bitbucket and Azure DevOps - If the rule conditions are met, your pipeline passes, and a warning is printed.
Notification by email - If the rule conditions are met, you receive an email notification.
Notify user groups by email - If the rule conditions are met, all users in a chosen user group receive an email notification.
Mark as unaffected - If the rule conditions are met, the affected vulnerabilities are marked as unaffected.
Flag as vulnerable - If the rule conditions are met, the affected vulnerabilities are marked as vulnerable.
Trigger webhook - If the rule conditions are met, a webhook is sent.

Missing CVSS score

Rules that use the CVSS score as one of the conditions, might not trigger for vulnerabilities that lack a CVSS score. This does not mean that the vulnerability is not severe, but that the data source lacked the CVSS score information. To account for this, you can add the statement:

OR CVSS is missing

Keep in mind that adding the OR statement does not take previous IF or AND statements into consideration.

Production dependencies

This option is currently supported for Javascript (Yarn, NPM), Nuget, Java (Maven, Gradle), PHP (Composer), Python (requirements.txt), and Go.

You can make your policies or automations only trigger if the related dependency is used in production, to reduce the number of false positives or very low-risk triggers. To set this up, simply add another condition to the rules you want triggered only for non-dev dependencies:

Automation rule examples

Prevent new dependencies with vulnerabilities
Imagine you have a developer branch called dev where you add new exciting features. Being security-aware, you want to fail the pipeline if a new commit introduces a new vulnerability with a severity of high or more. You also want to be notified of this incident.
Prevent unknown license families and GPL
In this scenario, Debricked fails the pipelines if there are dependencies with either an unknown license family, or if the dependencies have any of the GPL-2.0 and AGPL-3.0 licenses. Debricked also notifies all the administrators for the company account.

Default automation rules

Find default automation rules already in place and learn how to customize or remove them.

To make things easier for you, Debricked has created a set of default rules that are activated on your first scan and applicable to all of your repositories. As an administrator, you are also able to disable existing default rules and can assign new rules to be added to integrated repositories by default.

Keep in mind that once a rule is marked as default, it will be enabled for new repositories, even if it was disabled for existing repositories.

Set a rule as a default rule

Go to Automation on the left side menu. Here, you can create new automation rules, as well as edit the existing rules
Click Default rule.
In the confirmation modal, select whether the rule should be activated for only newly integrated repositories or existing repositories as well.
Click Confirm. From now on, only newly integrated repositories will be affected by your default rule.

This can also be done when creating or editing an automation rule:

Click New+ to create a rule OR Edit rule in an existing rule.
Tick the Default rule checkbox.
Click Save. From now on, newly integrated repositories will be affected by your default rule.

Remove a rule as a default rule

Go to Automation on the left side menu. Here, you can create new automation rules, as well as edit the existing rules.
Click Default rule.
On the confirmation modal, click Go ahead. From now on, newly integrated repositories will no longer be affected by your default rule.

Disable default automation rules using API

You can disable these rules through our API to create your own custom policy.

The default rules can be accessed through the endpoint:

api/1.0/open/admin/user/default-rules-enabled

You can check the current status of your default rules:

curl -X 'GET' \  'https://debricked.com/api/1.0/open/admin/user/default-rules-enabled' \  -H 'accept: */*' \  -H 'Authorization: Bearer <token>'

The response will show you “true” if the default rules are enabled and “false” if they are disabled, e.g.:

{    "defaultRulesEnabled": true}

You can change the current status using “enabled”:true and “enabled”:false. Here’s an example of how to disable it:

curl -X 'PATCH' \  'https://debricked.com/api/1.0/open/admin/user/default-rules-enabled' \  -H 'accept: */*' \  -H 'Authorization: Bearer <token>' \  -H 'Content-Type: application/json' \  -d '{  "enabled": false}'

Once you disable the default rules using the API, the automation rules will not trigger when a new repository is added to your account. Remember to set up your own rules to optimize your use of Debricked tool.

Set up webhooks

Learn how to set up and configure a webhook.

In order to send a webhook request when an automation rule is triggered, add a "trigger webhook" action to the rule and enter the URL for the webhook in the URL field. When the rule is triggered, a POST request will be sent to the given URL with JSON-encoded data about the event.

The JSON will contain the following keys:

Each element of triggeredFor will contain the following keys:

Send a sample request

A sample webhook request can be sent to the specified URL by clicking Send sample request. The triggeredFor array will be populated using up to three vulnerabilities that were found the last time this repository was scanned. Note that these vulnerabilities may not necessarily fulfill the conditions specified in the rule.

Verification secret

To ensure that a webhook request was sent by Debricked, a key can be specified in the verification secret field. When a verification secret is specified, webhook requests made by this rule will include the header X-Debricked-Signature, containing an SHA256-HMAC signature generated using the webhook payload and the verification secret.

Set up a webhook with slack through Zapier

You can use the automation engine to send notifications to Slack, with the help of middleware, e.g. Zapier. Keep in mind that this is currently only possible using the premium version of Zapier.

To create a webhook URL:

Click +Create Zap.
Search for and select Webhooks by Zapier.
Go to the Event drop-down, select Catch Hook and click Continue.
Copy the Webhook URLI.
Click Continue and then Test trigger.
Once you have the URL, open the Debricked tool and go to Automations on the left-side menu.
You can either create a new rule or edit an existing one in the Then statement. Once done, add the trigger webhook action.
Paste the Webhook URL copied from Zapier into the field.
If needed, click Send sample request to test if everything works correctly.
Click Generate rule and Save.

Set up notifications in slack using webhook

To manage your notifications in Slack:

Click Action and select Slack.
Go to the Event drop-down and select the desired action. For example, Send Channel Message.
Click Choose account and follow the instructions on the page to connect your Slack account to Zapier.
Click Set up action and select the data that you want to send.
Click Message text and select the information to be included in the message.
Click Test action.
Click Publish Zap.

Now you are ready to receive Slack notifications from Debricked!

Overview

Explore the data and snapshots you can find on the Overview page in the tool.

Clicking Overview on the left side menu will take you to a dashboard allowing you to get a clear overview of all vulnerabilities found in your organization.

Filters

Repository or Branch

The data presented in the Overview can be filtered depending on your needs. The repository picker enables you to select either a specific repository/branch or all your repositories altogether. When an individual repository is selected a specific branch selector shows up to further narrow down your data. The All repositories view shows data from the sum of the default branches present in all repositories.

Due to limitations, it is not always possible to identify the default branch except for GitLab users. For other users, the default branch can be identified if the branch name is either master or main. An effort is still made to identify your default branch correctly. This effort consists of looking for the branch with the most activity as it is assumed that, at least over time, this is the most interesting branch to look at.

Time period

The Debricked API allows you to see data for any given interval. Keep in mind that for the period prior to the first snapshot, the data will be padded with 0 values. Since the snapshots older than a month are pruned, the intervals beginning over 30 days ago must have a two-week range.

Vulnerability graph

The main dashboard presents your organization’s historical data in the form of a graph. This view visualizes the total amount of vulnerabilities in selected repositories, grouped by severity. You can adjust the graph according to your needs, by changing the values in the repository/branch and time period pickers.

License risk widget

The bottom widget presents your current licence compliance risks, grouped by risk levels: critical, high, medium, low, and unknown. Keep in mind that this widget always shows you the current data, unaffected by the time period picker. You are still able to customize it by changing the selected repository/branch.

Fixed vulnerabilities widget

The left-side widget presents information about your recently fixed vulnerabilities, including:

The total amount of fixed vulnerabilities.
The number of vulnerabilities fixed over the time period selected with the picker.
A graph visualizing your fixed vulnerabilities over a time period.
A sorted list of fixed vulnerabilities, the vulnerabilities fixed most recently shown at the top. You can also find their severity and the date they were fixed on.
- Click the name of the vulnerability to view the Vulnerability page.
- Click the folder icon to open the repository where the vulnerability was found.
- Click View More to view the complete list of fixed vulnerabilities in the currently selected scope.

You can also:

Search the list of fixed vulnerabilities.
Customize this widget by selecting the repository or branch and time period, using the filters.

Snapshots

In order to accurately represent data in the overview, Debricked periodically saves snapshots of the state of users' repositories. These snapshots contain the number of unknown-, low-, high-, and critical-severity vulnerabilities in a given repository. This evaluation is based on CVSS scores, with CVSS3 always taking precedence over CVSS2. When a vulnerability does not have a CVSS score, it is assigned the unknown severity. The snapshots don’t record any other details about the vulnerabilities, only the quantity. They are created once per day and are updated upon each successful scan of a repository. Keep in mind that only snapshots coupled to the branch(es) being scanned will be updated.

Pruning

In order to limit the amount of data that has to be stored, Debricked periodically prunes the snapshots. All Sunday snapshots are saved indefinitely, but the snapshots taken on other days are only retained for one month. That results in the resolution of the dashboard graph being drastically reduced for data older than one month.

Monitoring

Learn how to monitor vulnerabilities in repositories that are not updated regularly.

Debricked automation policies normally trigger based on pipeline events, such as committing a code to a repository. When the source code is committed, a Debricked scan starts and automations run. However, in some cases, you might want to use automations to check the status of a repository even if you have not made any changes to it. For example, new vulnerabilities might be discovered for dependencies in repositories that are not updated regularly. Monitoring allows you to get timely warnings about issues in such repositories by automatically and periodically checking the rules regardless of pipeline events. It is possible to configure monitored automations to either result in webhooks or emails when triggered.

To enable monitoring for a new rule, follow these steps:

From a repository page, go to the Automations tab. On the Automations page, you can view the list of automation rules created.

On the Automations page, click New -> Add rule. The Add a new rule page is displayed.

On the Add a new rule page, select the valid vulnerability condition from the drop-down. The vulnerability condition must be either 'CVSS' or 'discovery date' or both.
Select the valid trigger events from the drop-down. The trigger events must be either 'notify by email', 'notify user groups by email' or 'trigger webhook'.
Click Enable monitoring check box to enable the monitoring for the rule.
Click Generate rule and review any warnings (if applicable).
Click Save.

To enable monitoring for an existing rule, follow these steps:

From a repository page, go to the Automations tab. On the Automations page, you can view the list of automation rules created.
Click the … (three dots) on the right-hand side of the rule.
Select Edit rule.

On the Edit rule page, select the valid vulnerability condition from the drop-down. The vulnerability condition must be either 'CVSS' or 'discovery date' or both.
Select the valid trigger events from the drop-down. The trigger events must be either 'notify by email', 'notify user groups by email' or 'trigger webhook'.
Click Enable monitoring check box to enable the monitoring for the rule.
Click Generate rule and review any warnings (if applicable).
Click Save.

SBOM export

Learn about SBOM export reports.

This feature is only available for SCA Enterprise users. Already have an account? Click here to upgrade.

What is SBOM?

A Software Bill of Materials (SBOM) is a record of the supply chain relationships between the components used when creating software. The record lists all components of a product, including all open source software, which can be helpful for both the developers and other stakeholders, such as investors and legal teams.

For more information on SBOM, see Debricked blogs.

There are a few data points included in the SBOM which are not included in the regular license export:

Proof of license - A reference to the source from where the license information is fetched. This field is applicable only for CycloneDX SBOM.
License text - The actual text that the license consists of. This field is applicable only for CycloneDX SBOM.
Copyright statement - Displays the person or organization who holds the copyright.
Open Source Select link - A link to the dependency page in Open Source Select, where you can find additional information on the specific open-source package.
Dependency relations - Contains information on each component and their direct dependencies. See the Dependency relations sections on the CycloneDX SBOM export and SPDX SBOM export pages for more details.
Root Fixes - This data can be found under Recommendation. It consists of information about the first version of the specific vulnerable dependency that is safe, as well as the first version of the root or direct dependency that does not contain a vulnerable version of the indirect dependency. See the section Root Fixes for more details. This field is applicable only for CycloneDX SBOM.

Keep in mind that license information may differ depending on the package and the specific version used.

Export a CycloneDX or SPDX SBOM using web tool

Keep in mind that this feature is only available for enterprise users.

In order to generate the CycloneDX or SPDX SBOM Export:

Click Generate export on the top right corner of the page.
Under Scope, select all repositories you wish to see the data for.
Select CycloneDX or SPDX under SBOM as the Export type.
Click Generate.
Check your email for the exported data, which will be sent to you in the .json format. If you cannot find the email in your inbox, check the SPAM folder.

Export a CycloneDX or SPDX SBOM using web tool - video guide

Export a CycloneDX or SPDX SBOM to email using API

If you have already integrated your repository with Debricked, you can generate a CycloneDX or SPDX SBOM by fetching your data through the API.

To use Debricked REST API, you should authenticate first.

Endpoint: /api/{1.0}/open/sbom/generate

Following is an example of a request using curl to generate an SPDX SBOM (to generate a CycloneDX SBOM use "format": "CycloneDX"):

curl -X 'POST' \
  'https://debricked.com/api/1.0/open/sbom/generate' \
  -H 'accept: application/json' \
  -H 'Authorization: Bearer <token>' \
  -H 'Content-Type: application/json' \
  -d '{
  "format": "SPDX-2.3",
  "email": "user1@debricked.com",
  "repositoryIds": [
    1
  ],
  "vulnerabilities": true,
  "rootFixes": true,
  "licenses": true,
  "sendEmail": true
}'

You can send the following parameters in the body of the request: commitId, email, repositoryIds, branch, locale. You can choose to add license and vulnerability data, using licenses: true/false and vulnerabilities: true/false.

If you provide a commitId, the branch and repositoryIds will be ignored. If you leave the branch field empty, the report is generated for the identified default branch (most likely 'main' or 'master', if applicable) of the selected repository. It is also possible to create an SBOM for all repositories by not specifying any repositoryIds.

Once you send the request, you will receive your SBOM via email, which will be sent to you in the .json format. If you can’t find the email in your inbox, make sure to check the SPAM folder. If you do not provide an email address, the SBOM will be sent to the email of the user who created the request.

Export a CycloneDX or SPDX SBOM to email using API - video guide

Export a CycloneDX or SPDX SBOM directly from API

It is also possible to generate a CycloneDX or SPDX SBOM and download it directly through the API. As part of the response of the /api/1.0/open/sbom/generate endpoint, a reportUuid is sent, which can be used in the /api/1.0/open/sbom/download endpoint.

Following is an example response from the /api/1.0/open/sbom/generate endpoint:

{
  "message": "The report has started generating and can be downloaded through the 'download' endpoint once ready, by using the reportUuId stated below. Be aware that it might take some time before it's finished",
  "reportUuid": "<report_uuid>",
  "notes": [
    "Example note"
  ]
}

Following is an example request for the /api/1.0/open/sbom/download endpoint:

curl -X 'GET' \
  'https://debricked.com/api/1.0/open/sbom/download?reportUuid=<report_uuid>' \
  -H 'accept: */*' \
  -H 'Authorization: Bearer <token>'

If you do not want the report to also be sent to your email, it is possible to turn this off by setting the "sendEmail" value to "false" in the /api/1.0/open/sbom/generate endpoint.

Click the following link for an example on exporting CycloneDX SBOM:

CycloneDX SBOM file example

CycloneDX SBOM export

Learn how to create a CycloneDX SBOM Export.

This feature is only available for SCA Enterprise users. Already have an account? Click here to upgrade.

What is CycloneDX?

CycloneDX, developed by the Open Web Application Security Project (OWASP), is an open common standard for communicating SBOM information, a data format.

Dependency relations

In the dependencies array, you can find a reference number (ref) for each component and an array of each direct dependency of that dependency (depends_on). The roots of the relational trees will reference to the files in the project, together with the direct dependencies that it contains. By traversing the dependencies array, it is possible to build the entire dependency tree.

In example below, you can see the direct dependency `webpack:4.28.4` depending on `terser-webpack-plugin:1.2.1` which in turn depends on `terser:3.14.1`.


    "dependencies": [
    {
        "ref": "e771afadf654cc12c324a0dd716518dd",
        "depends_on": ["cpe:2.3::~:webpack:4.28.4:~:~:~:~:~:~:~"]
    },
    {
        "ref": "cpe:2.3::~:webpack:4.28.4:~:~:~:~:~:~:~",
        "depends_on": ["cpe:2.3::~:terser-webpack-plugin:1.2.1:~:~:~:~:~:~:~"]
    },
    {
        "ref": "cpe:2.3::~:terser-webpack-plugin:1.2.1:~:~:~:~:~:~:~",
        "depends_on": ["cpe:2.3::~:terser:3.14.1:~:~:~:~:~:~:~"]
    },
    {
        "ref": "cpe:2.3::~:terser:3.14.1:~:~:~:~:~:~:~",
        "depends_on": []
    }
    ]

Here is how this would be visualised in the user interface:

Root fixes

Under Recommendation, you can find information about the first version of the specific vulnerable dependency that is safe, as well as the first version of the root or direct dependency that does not contain a vulnerable version of the indirect dependency. See example below:

"recommendation": "Multiple components are affected by this vulnerability.
Component: pkg:npm/async@3.2.0
Safe version: 3.2.2.
Root fixes: Update root dependency pkg:npm/htmlhint@0.14.2 to 0.16.2.
---------
Component: pkg:npm/async@2.6.0
Safe version: 2.6.4.
Root fixes: Update root dependency pkg:npm/gelf-pro@1.2.2 to 1.3.4.",
      "created": "2022-04-06T17:15:00+00:00",
      "published": "2022-04-06T17:15:00+00:00",
      "updated": "2022-04-06T17:15:00+00:00",
      "affects": [
        {
          "ref": "pkg:npm/async@3.2.0"
        },
        {
          "ref": "pkg:npm/async@2.6.0"
        }
      ],
      "references": [
        {
          "id": "GHSA-fwr7-v2mv-hh25",
          "source": {
            "url": "https://github.com/advisories/GHSA-fwr7-v2mv-hh25",
            "name": "GitHub"
          }
        }

SPDX SBOM export

Learn how to create a SPDX SBOM Export.

This feature is only available for SCA Enterprise users. Already have an account? Click here to upgrade.

What is SPDX?

SPDX is an open standard for communicating software bill of material information, including provenance, license, security, and other related information. SPDX reduces redundant work by providing common formats for organizations and communities to share important data, thereby streamlining and improving compliance, security, and dependability.

Unlike the CycloneDX SBOM, the SPDX SBOM does not contain vulnerability information.

Dependency relations

The relationships between components are presented in the relationships array. Debricked SPDX SBOMs support following two types of relationship objects:

DESCRIBES which is used for declaring each file and dependency component in the BOM.
DEPENDENCY_OF which denotes a direct relationship between two components.

In the objects describing the direct dependencies of a file, the 'relatedSpdxElement' will contain the reference of that file. Relationships between dependencies will instead reference the parent dependency. By traversing the dependencies array, it is possible to build the entire dependency tree.

In the example below, you can see direct dependency `webpack-4.28.4` referenced as a dependency of a file. Component `terser-webpack-plugin-1.2.1` is in turn referenced as a dependency of `webpack-4.28.4` and lastly, `terser-3.14.1` is a dependency of `terser-webpack-plugin-1.2.1`.

"relationships": [
    {
        "spdxElementId": "SPDXRef-DOCUMENT",
        "relatedSpdxElement": "SPDXRef-bda845e38ee2becb214eaa4c995d4951d755faceb38a4ef6e7092699592d7efe",
        "relationshipType": "DESCRIBES"
    },
    {
        "spdxElementId": "SPDXRef-DOCUMENT",
        "relatedSpdxElement": "SPDXRef-pkg-npm-terser-3.14.1",
        "relationshipType": "DESCRIBES"
    },
    {
        "spdxElementId": "SPDXRef-DOCUMENT",
        "relatedSpdxElement": "SPDXRef-pkg-npm-terser-webpack-plugin-1.2.1",
        "relationshipType": "DESCRIBES"
    },
    {
        "spdxElementId": "SPDXRef-DOCUMENT",
        "relatedSpdxElement": "SPDXRef-pkg-npm-webpack-4.28.4",
        "relationshipType": "DESCRIBES"
    },
    {
        "spdxElementId": "SPDXRef-pkg-npm-terser-3.14.1",
        "relatedSpdxElement": "SPDXRef-pkg-npm-terser-webpack-plugin-1.2.1",
        "relationshipType": "DEPENDENCY_OF"
    },
    {
        "spdxElementId": "SPDXRef-pkg-npm-terser-webpack-plugin-1.2.1",
        "relatedSpdxElement": "SPDXRef-pkg-npm-webpack-4.28.4",
        "relationshipType": "DEPENDENCY_OF"
    },
    {
        "spdxElementId": "SPDXRef-pkg-npm-webpack-4.28.4",
        "relatedSpdxElement": "SPDXRef-bda845e38ee2becb214eaa4c995d4951d755faceb38a4ef6e7092699592d7efe",
        "relationshipType": "DEPENDENCY_OF"
    }
],

Here is how this would be visualised in the user interface:

View logged events

Learn about the events logged at Debricked and how to view all of them.

Keep in mind that only users with admin rights have access to the event logs.

To ensure transparency, Debricked logs almost all events across the service. This enables you to track everything that happens in your company account and manage various aspects of security, performance, and transparency.

The logs can be accessed through Debricked API, using the endpoints:

/api/{version}/open/admin/request-logs/get-request-logs/api/{version}/open/admin/request-logs/get-events

To get a list of event logs, simply call the get-request-logs endpoint with appropriate filters. Here is an example of a simple request, fetching all events:

curl -X 'GET' \'https://debricked.com/api/1.0/open/admin/request-logs/get-request-logs?start=2021-05-10T15%3A52%3A01&page=1&pageSize=20' \  -H 'accept: application/json' \  -H 'Authorization: Bearer <token>

In this case, a start date is specified, while the end date is not, which results in data on events from the start date, up to the current date and time. Since the endpoint is paginated, it is required to specify the pages and the page size.

Here is an example of a response:

{  "page": 1,  "found": 2,  "requestLogs": [    {      "user": "tony.montana@debricked.com",      "event_name": "Created pull request",      "event_id": 2,      "url": "https://debricked.com/vulnerability/1/repository/2/commit/3/pull-request/generate",      "breadcrumbs": [],      "ip_address": "256.139.13.37",      "timestamp": "2021-11-06 19:45:14",      "method": "GET",      "status_code": 200    },    {      "user": "walter.white@debricked.com",      "eventName": "Visited repository page",      "eventId": 44,      "url": "/app/en/repository/24",      "breadcrumbs": [          {              "url": "../repositories",              "text": "Repositories"          },          {              "url": "",              "text": "owner/dependencies-relations-mess"          }      ],      "ipAddress": "256.139.13.38",      "timestamp": "2021-11-30T12:53:05",      "method": "GET",      "status_code": 200    }  ]}

The breadcrumbs list all the pages the user visited while using the tool. Note that the breadcrumbs are printed in reverse chronological order, that is, the latest event first and the oldest event last. The URLs in the breadcrumbs are relative to the event URL.

Filters

You can customize the logs by selecting additional filters, such as:

userEmail - Filter events performed only by a specific user.
url - Filter events only affecting a given URL. For example, https://debricked.com/app/en/vulnerability/6552
eventTypeId - Filter a specific event type.

To filter the logs based on events and get a list of all event names and IDs, you can query the get-events endpoint:

curl -X 'GET' \  'https://debricked.com/api/1.0/open/admin/request-logs/get-events'   -H 'accept: application/json' \  -H 'Authorization: Bearer <token>

Here is an excerpt of the response from the example:

[  {    "eventId": 17,    "eventName": "Added comment"  },  {    "eventId": 7,    "eventName": "Added token"  },  {    "eventId": 16,    "eventName": "Changed review status"  },  {    "eventId": 14,    "eventName": "Changed the use case"  },  {    "eventId": 26,    "eventName": "Changed user settings"  }]

Role-Based Access Control (Enterprise)

Understand the distinct functions and permissions of each user role available through Debricked's Role-Based Access Control.

This feature is only available for our SCA Enterprise users. Already have an account? Click here to upgrade.

Role-Based Access Control (RBAC)

Role-Based Access Control (RBAC) allows you to grant and enforce access to functionalities and integrated repositories by assigning pre-defined roles to users. To give you better control over what functionality and data can be accessed by different users, these roles are assigned per individual repository. A single user can have one level of access rights for one repository and a different level for another. Anything a user can see and do in an integrated repository is defined by their role.

Default user role

By default, once a new repository is integrated, only the company admin(s) get access to it (apart from the user integrating it), while other users are assigned the No access role. As a company admin, you are able to set the default role to one of your choice (up to the Reviewer role), which will be assigned to users every time a new repository is integrated.

To do so:

Go to Admin tools.
Type your password to enter the administrative mode.
In the Company Settings tab, click the drop-down and select a role of your choice.

User roles

Following are the seven different user roles:

No access

Users with this role can only see the name of the repository, but cannot access any more information.

Viewer

Recommended for non-code contributors who want to view or discuss your project.

Users with this role can:

View repository information
View Start Left information
Add comments
Create exports
Access the API (limited by endpoints)

Developer

Recommended for contributors who should be able to create pull requests and fix vulnerabilities.

Users with this role can:

Access the repository
View repository information
Integrate repositories
Add comments
View Start Left information
Create exports
Access the API (limited by endpoints)
Create Pull Requests
Pause vulnerabilities
Perform manual uploads (only via the API)

Reviewer

Recommended for contributors who need to review and triage vulnerabilities and the like.

Users with this role can:

Access the repository
View repository information
Integrate repositories
Add comments
View Start Left information
Create exports
Access the API (limited by endpoints)
Create Pull Requests
Pause and snooze vulnerabilities
Set and change the review status
Perform manual uploads

Maintainer

Recommended for contributors who don’t need to review and triage, but are able to manage the repository, perform manual uploads, and invite users.

Users with this role can:

Access the repository
View repository information
Integrate repositories
Add comments
View Start Left information
Create exports
Access the API (limited by endpoints)
Create Pull Requests
Pause vulnerabilities
Modify repository automation rules
Edit other users’ permissions (up to own levels)
Invite users
Edit repository use cases
Set the default branch for the repository
Enable or disable GitHub scanning
Delete repositories
Delete commits
Perform manual uploads

Repository admin

Recommended for people who need full access to the repository, including reviews and triaging.

Users with this role can:

Access the repository
View repository information
Integrate repositories
Add comments
View Start Left information
Create exports
Access the API (limited by endpoints)
Create Pull Requests
Pause and snooze vulnerabilities
Modify repository automation rules
Edit other users’ permissions (up to own levels)
Invite users
Edit repository use cases
Set the default branch for the repository
Enable or disable GitHub scanning
Delete the repository
Delete commits
Perform manual uploads
Set and edit the review status

Company admin

The highest level of access. Recommended for people who need full access to all repositories and settings.

Users with this role can perform all actions of a Repository admin and also:

Modify all automation rules
Edit all use cases
Delete the company account
Access billing self-serve
Whitelist email domains
Enforce 2 factor authentication
Change SSO settings
Modify default automations
Toggle allowing or disallowing snooze
Delete other accounts
Disable other accounts
Update account information for other users
Manage policies

Available actions for each user role

Action

Viewer

Developer

Reviewer

Maintainer

Repository Admin

Company Admin

View repository information

✓

View Start Left information

✓

Access to API

✓

Create exports

✓

Add comments

✓

Access the repository

✓

Integrate repositories

✓

Create Pull Requests

✓

Pause vulnerabilities

✓

Perform manual uploads

✓

Snooze vulnerabilities

✓

Set and change the review status

✓

Modify automation rules for a given repository

✓

Edit other users’ permissions (up to own levels)

✓

Invite users

✓

Edit repository use cases

✓

Set the default branch for the repository

✓

Enable or disable GitHub scanning

✓

Delete repositories

✓

Delete commits

✓

Create access tokens

✓

Delete the company account

✓

Access billing self-serve

✓

Whitelist email domains

✓

Enforce 2 factor authentication

✓

Change SSO settings

✓

Modify default automations

✓

Toggle allowing/disallowing snooze

✓

Delete other accounts

✓

Disable other accounts

✓

Update information for other user

✓

Manage policies

✓

Assign roles when inviting new users

Go to Admin tools. You can also go to either Repositories, Vulnerabilities or Dependencies view.
If needed, type your password to enter the administrative mode.
Click Invite users.
Select the repository(s) you want the users to be invited to.
Add the emails of the invitee(s).
Select a user role for each of the invitee.
Click Create invite.
The invitation then shows up in the Invitations to send tab. Here, you can Edit or Delete it if needed.
Once you review it, click Send invite.
The invitation then shows up in Sent invitations. Here, you can withdraw the invitation by clicking Delete.

Modify access for an existing user

Go to Admin tools.
Type your password to enter the administrative mode.
In the Users tab, find a list of users in your company. If you hover over the rule name in the User role column, you can see all of the current roles of that user and their scope(s).
To edit the role, click Edit (pen icon) on the right side of the table.
Click either the Handle access tab, or Handle access button. Here, you can edit the user’s existing role(s) and their scope(s).
To assign a new role click the + button.

High performance scans

High Performance Scans are currently available for Maven (pom.xml), Gradle (build.gradle), Go modules (go.mod), Pip (requirements.txt), NuGet (.csproj and packages.config), yarn (package.json), and composer (composer.json).

Some package managers do not have native support for maintaining lock files with complete information on dependency versions and relations. In order to guarantee fast and accurate scans for these package managers, it is necessary to first generate this information into a file before sending it to Debricked for scanning. Doing this also ensures that private dependencies are included in the scans and eliminates the need to send source code for a complete scan, since all information will be included in the generated file.

At Debricked, the High Performance Scans solution makes this process as simple as possible. This technology enables you to accurately and quickly resolve full dependency trees for repositories that don't have a lock file present. By using the lock file resolution technology to generate the needed files before sending them to the Debricked tool, all the drawbacks that come with trying to generate the files on our end are removed.

With High Performance Scans, you can generate Debricked lock files on your end, without us having to handle any of your source code. This approach improves the performance of the scans, especially when built into an existing pipeline that already builds the project. It also enables us to parse more accurate dependency results and obtain the relations of private dependencies without accessing anything other than the dependency files to scan your repository. Furthermore, it allows us to handle files of much bigger size.

The High Performance Scanning is highly customizable, allowing you to set it up to run in conjunction with a scan or in any other part of your pipeline.

Generate Debricked lock(tree) files using high performance scans

The High Performance Scans technology is available through the Debricked CLI by using the resolve command. This command analyses your project to find eligible manifest files, that do not have related lock files and uses them to generate the appropriate Debricked lock files. When conducting a scan using the scan command, the feature is enabled by default. It can be disabled by using the --no-resolve flag. Additionally, this technology is available through CI templates, which have been reworked using the new command to be as simple as possible. This is built with customizability in mind, to suit many different use-cases. You might, for example, want to generate the lock files using the resolve command in a build step in your pipeline, separate from the scan step, since it will save time not having to build the project twice. When doing this, it is important to ensure that the files resulting from the resolve command are included in the stage where the scan is run.

Speed up Debricked lock file resolution

The best approach for speeding up the generation of debricked lock files is to make sure that the dependencies that are used for building the project are cached on the system that Debricked CLI operates on. By doing so, Debricked CLI can utilize these locally installed dependencies instead of having to download them from the registries, which is a time-consuming task. Package managers cache their dependencies differently, so if you set up dependency caching for your package manager, Debricked CLI will be able to utilize that out of the box and in the process make the debricked lock file resolution snappier.

Example:

Maven is a commonly used build automation tool (and package manager) in the Java world. When Maven downloads dependencies for a project the dependencies are by default cached in the directory ~/.m2/repository. If Debricked CLI is used to resolve a Maven project on this system, instead of downloading dependencies, the ~/.m2/repository directory is first checked and if the currently processed dependency is already downloaded it will be reused.

Error handling

The resolution feature utilizes package managers to create Debricked lock files, which works smoothly for simpler projects. For more complex projects, there might be certain project requirements that the Debricked CLI cannot interpret.

To account for that, the resolution feature is built to be as transparent as possible, showing you what went wrong, in order to assist in solving the issue. An example of such an error is when privately hosted dependencies are built into the project - if Debricked CLI cannot resolve these private dependencies the error given by the package manager will be displayed for you.

Debricked CLI

Learn all about our Command Line Interface, which enables you to run vulnerability scans on your local machine and integrate Debricked into your pipeline.

Introduction

The Debricked CLI is Debricked's command line interface, bringing open-source security, and license compliance to your project via the command prompt.

The Debricked CLI is currently available for: Windows, Linux, and macOS operating systems. It might work on other operating systems but has not been thoroughly tested yet. Supported languages: Javascript, Java, C#, Ruby, PHP, and more.

Supported package managers: Yarn, Npm, Bowel, Bazel, Gradle, and more.

Mastering Debricked's CLI and API - webinar recording

Check out our latest training webinar and learn the basics of working with Debricked CLI and API:

1. Getting started

To use the Debricked CLI, you must have a Debricked account and install the CLI.

The CLI can be run:

locally in your terminal as an interactive shell
in your CI/CD pipeline
through docker

1.1 Authentication

You can authenticate with Debricked either through an access token (recommended for CI/CD integrations), or by using the debricked auth command to log into the UI (recommended for scanning local projects). To create an access token, log in to Debricked and follow the steps to generate an access token. Make sure to keep the access token in a safe place for later use.

2. Installation

The CLI can be installed and used through:

Local installations: - Standalone - Installation using Go
Adding the CLI into your CI/CD pipeline
Using a docker image

If you run into any issues during the installation process, feel free to contact us.

2.1 Local installation

2.1.1 Standalone

Find the latest GitHub releases to download a standalone executable here.

Command Example for Linux:

curl -L https://github.com/debricked/cli/releases/latest/download/cli_linux_x86_64.tar.gz | tar -xz debricked

Command Example for Windows:

curl -L https://github.com/debricked/cli/releases/latest/download/cli_windows_x86_64.tar.gz | tar -xz debricked.exe

Command Example for MacOS:

curl -L https://github.com/debricked/cli/releases/latest/download/cli_macOS_arm64.tar.gz | tar -xz debricked

2.1.2 Installation Using Go

Requirements:

Local compilation of Debricked CLI requires Go to be installed on your system. In order to check whether you already have the compiler installed on your device, run the command ‘go version’ on your terminal. If there is no command available, install the Go compiler.

Installation:

Install Go on your operating system following the official documentation
Clone the CLI repository to your local directory: https://github.com/debricked/cli

2.2 Adding CLI to your CI or CD pipeline

The CLI can be integrated into your continuous integration (CI) to run scans on the pipeline. You can integrate using:

Docker image
Binary standalone

2.2.1 Using docker Debricked or CLI image

Log in to debricked.com/app and follow the steps to generate an access token.
Set your access token, named DEBRICKED_TOKEN, as an environment variable within your continuous integration (CI). If you don’t know how to configure your environment variable, check our documentation for the most common CI integrations.
Configure a new job in your CI pipeline::

debricked/cli:2-resolution-debian docker image
Run debricked scan
Add the DEBRICKED_TOKEN as a variable or (if possible) as a secret

See the example below for the GitHub actions integration (see the debricked.yml file):

For more details, please check our sample templates for the integration of your choice.

2.2.2 Using standalone

Log in to debricked.com/app and follow the steps to generate an access token.
Set your access token, named DEBRICKED_TOKEN, as an environment variable within your continuous integration (CI). If you don’t know how to configure your environment variable, visit our documentation for the most common CI integrations.
Configure a new job in your CI pipeline::

Run:

curl -L https://github.com/debricked/cli/releases/latest/download/cli_linux_x86_64.tar.gz | tar -xz debricked

to use the executable Debricked CLI.

Run debricked scan.

Here’s an example of the Circle CI integration: circleci /config.yml file. For more examples check out: https://github.com/debricked/cli/tree/main/examples/templates

jobs:
  build:
    docker:
      # specify the version here
      - image: cimg/go:1.17

    steps:
      - checkout
      - run: |
          printf "$(go mod graph)\n\n$(go list -mod=readonly -e -m all)" > .debricked-go-dependencies.txt
      # It is important that the generated dependency tree files are persisted and attached to the following scan step
      - persist_to_workspace:
          root: ~/repo
          paths:
            - '**.debricked-go-dependencies.txt'
            # Make sure to add all generated .debricked-go-dependencies.txt files

  scan:
    docker:
      - image: cimg/go:1.17
    working_directory: ~/repo
    steps:
      - checkout
      - run: curl -L https://github.com/debricked/cli/releases/latest/download/cli_linux_x86_64.tar.gz | tar -xz debricked
      - run: ./debricked scan

workflows:
  debricked-scan:
    jobs:
      - build
      - scan:
          requires:
            - build

3. Testing your installation

To confirm whether the installation was successful, run the command ‘./debricked --help’. If you can see the menu as seen below, you are ready to scan your first project!

4. Scan your first project

Once you've installed the CLI, you're ready to scan your project. You can scan a local project allocated on your local machine or a project in a remote repository via a CI integration, follow the instructions below to perform your first scan:

Authenticate CLI with either access token or through the debricked auth command.
Run debricked scan --help to see the main menu and check if the CLI is running
Scan your project locally using the command: debricked scan [path] [options]

The path is the folder that contains your project's dependency file. See this practical example, scanning a local project:

debricked auth login

debricked scan ~/Desktop/myproject/EasyApp

The debricked auth login command authenticates directly through the UI and is therefore suitable for scanning local projects.

The path is the ~/Desktop/myproject/EasyApp. Since EasyApp is a git repository, no other flags are needed for the scan.

Include some [option]s within your scan:

debricked scan ~/Desktop/myproject/EasyApp --commit "044bdc7c22e46be010969e9360dbe679830100f1" --branch "dev"  --exclusion "**/test/**"

The commit --commit specifies the hash commit, and the branch with the command --branch. Note that --commit and --branch are only required when the target path does not contain a git repository.

Another option is to change the directory to a folder that contains your project's dependency file. So, you can use "." For example:

debricked scan . --access-token <token>

As shown above, you can also use an access token while scanning, which is recommended for CI/CD integrations.

After the scan is complete, you will see the total number of vulnerabilities found and a list of automation rules that have been evaluated.

You can log in to the Debricked web tool to see the scan results, by following the link with all the details.

5. List of commands

These are the main commands for the Debricked CLI:

Command

Description

help

Display options.

scan [path] [access-token] [flags]

Upload and check your dependency files for vulnerabilities.

resolve [path] [flags]

Resolve manifest files.

files find [path] [access-token] [flags]

Search and print the dependency files.

report [command]

[access-token] [flags]

Generate a report and send it by email.

callgraph [path] [flags]

Generate a static callgraph for a project.

fingerprint [[path] [flags]]

Fingerprint files.

auth [command]

Authenticate to Debricked service.

help

debricked [command] --help

Type debricked –-help to display the main menu.

To display the options on any command just execute the [command], followed by the --help option. For example, type debricked scan -–help to list the options for the scan command.

scan

debricked scan [path] [flags]
debricked scan –-help to see all the options.

The scan command uploads and check your dependency files for open-source vulnerabilities and license compliance.

Path:

Use the path argument to specify which directory the dependency file is in, or to exclude it. For example: debricked scan ~/Desktop/Coder-2022/Eccomerce2/ -t <token>.
Use the path to specify where the dependency file is allocated, you can use "." to search the current working directory. For instance: debricked files find . -t <token> or debricked files find ~/Desktop/Coder-2022/Eccomerce2/ -t <token>

Flags:

-t --access-token Required

Use this parameter to authenticate. Run -t, or --access-token and enter your access token created in the authentication. Example: --access-token <token>

-e, --exclusions Optional

Use this command to exclude files or folders you don't want to be scanned for some reason. The following terms are supported to exclude paths:

"*": matches any sequence of non-Separator characters.
"/**/": matches zero or multiple directories.
"?": matches any single non-Separator character.
"[class]": matches any single non-Separator character against a class of characters
"{alt1,...}": matches a sequence of characters if one of the comma-separated alternatives matches.

Examples: -e "*/**.lock", -e "**/node_modules/**", -e "*/**.exe, -e "**/node_modules/** You can use this command to ignore multiple terms. For example: debricked files find . -e "**/node_modules/**" -e "**/package-lock.json"

Default: in case you don’t provide this parameter will be set by default to ignore the “node_modules”, "vendor", and “.git”

-b, --branch Optional

Use this parameter to specify the branch to analyze in your project. For example: -–branch main

Default: if you don’t provide this parameter will be set by default to scan all the branches.

-c, --commit Optional

Use this parameter to specify the commit to analyze in your project. Type -–commit followed by the hash commit. Example: --commit 2609d8385125ddd2d7aa4cfb5be8fcd392e3280a.

Default: if you don’t provide this parameter, Debricked will scan the last commit.

-i, --integration Optional

Use this parameter to specify the name of the integration used to trigger the scan. For example --integration “GitHub Actions”

Default: if you don’t provide this parameter, it will be set to “CLI” by default

-p, --pass-on-timeout Optional

Use this parameter to pass scans if there is a service access timeout

-r, --repository Optional

Use this parameter to specify the name of the repository to analyze. For example: --repository EasyApp

-u, --repository-url Optional

Use this parameter to specify the URL address of the repository to analyze. For example:--repository-url https://github.com/nordisk/myrepository

--no-resolve Optional

When scanning, the High Performance resolution is enabled by default. Use this parameter to disabled it if needed. See here for more details about the High Performance Scan.

More Examples:

In this example, we analyze all the dependencies files in our current directory. The “.” starts the scanning in the current working directory.

debricked scan . -t "<token>"

In this example, we are going to scan a project called “EasyApp” in the local directory “~/Desktop/myproject/EasyApp”:

Debricked scan ~/Desktop/myproject/EasyApp --access-token "<token>" --commit "044bdc7c22e46be010969e9360dbe679830100f1" --branch "dev"  --exclusion "**/node_modules/**"

resolve

debricked resolve [path] [flags]
debricked resolve –help to see all the options.

The resolve command resolves manifest files to lock files. See here for more details about the High Performance Scan.

Path:

Use the path argument to specify what manifest file to resolve or what directory to resolve manifest files in. For example: debricked resolve ~/Desktop/Coder-2022/Eccomerce2/ -t <token> or debricked resolve ~/Desktop/Coder-2022/Eccomerce2/pom.xml -t <token>.

Flags:

-t --access-token Optional

Use this parameter to authenticate to enable a higher rate limit. Run -t, or --access-token and enter your access token created in the authentication. Example: --access-token <token>

-e, --exclusions Optional

Use this command to exclude files or folders you don't want to be scanned for some reason. The following terms are supported to exclude paths:

"*": matches any sequence of non-Separator characters.
"/**/": matches zero or multiple directories.
"?": matches any single non-Separator character.
"[class]": matches any single non-Separator character against a class of characters
"{alt1,...}": matches a sequence of characters if one of the comma-separated alternatives matches.

Examples: -e "*/**.lock", -e "**/node_modules/**", -e "*\**.exe, -e "**\node_modules\** You can use this command to ignore multiple terms. For example: debricked files find . -e "**/node_modules/**" -e "**/package-lock.json"

Default: in case you don’t provide this parameter will be set by default to ignore the “node_modules”, "vendor", and “.git”.

--verbose Optional Use the this flag to toggle verbosity in error output for resolution, this mainly applies to the error output provided from the package managers which the Debricked CLI calls (i.e "external" errors) when resolving. For example --verbose=false to get less verbose error messaging.

Default: If you don’t provide this parameter, it will be set to “true” by default.

--resolution-strictness int Optional Use the this flag to configure exit codes for resolution, depending on the success of the command: - 0 (default) - Always exit with code 0, even if any or all files failed to resolve - 1 - Exit with code 1 if all files failed to resolve, otherwise exit with code 0 - 2 - Exit with code 1 if any file failed to resolve, otherwise exit with code 0 - 3 - Exit with code 1 if all files failed to resolve, if any but not all files failed to resolve exit with code 3, otherwise exit with code 0

--regenerate int Optional Use the this flag to toggle regeneration of already existing lock files between 3 modes. This is useful for when you use the resolve command to generate lock files permanently in your project and would like to ensure that they are kept up to date before every scan. - 0 (default) - No regeneration - 1 - Regenerates existing non package manager native Debricked lock files - 2 - Regenerates all existing lock files

--prefer-npm Optional This flag allows you to use npm instead of yarn (which is default) when resolving package.json files without lock files.

files find

debricked files find [path] [flags]
debricked files find –-help to see all the options.

Use this command to search all the dependencies files in your project.

Path:

Use the path argument to specify which directory the dependency file is in, or to exclude it. For example: debricked files find ~/Desktop/Coder-2022/Eccomerce2/ -t <token>.
Use the path to specify where the dependency file is allocated, you can use "." to search the current working directory. For instance: debricked files find . -t <token> or debricked files find ~/Desktop/Coder-2022/Eccomerce2/ -t <token>.

Note: If the path is inside a git repository, all the necessary flags branch, commit, etc) will be set for you automatically.

Flags:

-l, --lockfile Optional

Use this parameter to find only the lock files in your project.

-j, --json Optional

Use this parameter to print the file from the path in JSON format. Here’s an example, where we look for all the dependency files in the folder “project7” and print them in JSON format.

debricked files find  ~/Desktop/project7 -t <token> -e "**/node_modules/**" --json

Output:

[
  {
    "manifestFile": "go.mod",
    "lockFiles": [
      ".gomod.debricked.lock"
    ]
  }
]

-s, --strict int

Allows controlling which files are matched:

- 0 (default) - returns all matched manifest and lock files regardless if they're paired or not

- 1 - returns only lock files and pairs of manifest and lock-file

- 2 - returns only pairs of manifest and lock-file\

Workspaces:

Since release v2.0.7 files find support workspaces for npm and yarn. Nothing additional is needed to make workspaces work, but in addition to the official format we also support nesting the workspace patterns under a packages key. Examples:

{
  "workspaces": [
    "package/*"
  ]
}

{
  "workspaces": {
    "packages": [
      "package/*"
    ]
  }
}

For specific documentation on using workspaces with npm see the npm workspace documentation, and for yarn see the yarn workspace documentation.

report

report license

Note that this feature is only available for premium users. Visit our Pricing page for more info.

Example**:**

debricked report license -t "<token>" --commit 044bdc7c22e46be010969e9360dbe679830100f1 --email user1@email.com

Flags:

-t --access-token Required

Use this parameter to authenticate. -t, or --access-token and enter your access token created in the authentication. For example: --access-token <token>

-c, --commit Required

Use this parameter to specify the hash commit of the repository to analyze. For example: --commit 2609d8385125ddd2d7aa4cfb5be8fcd392e3280a

-e, --email Required

Use this parameter to set the email address to which the report will be sent to. For example: --email user1@email.com

report vulnerability

Note that this feature is only available for premium users. Visit our Pricing page for more info.

Example generating a Vulnerability report**:**

debricked report vulnerability-t "<token>" --commit 044bdc7c22e46be010969e9360dbe679830100f1 --email user1@email.com

Flags:

-e, --email Required

Use this parameter to set the email address to which the report will be sent to. For example: --email user1@email.com

callgraph

debricked callgraph [[path] [flags]]
debricked callgraph –help to see all the options.

The callgraph command generates a static callgraph for a project. Execute command in project directory or specify project path.

Path:

Use the path argument to specify the project path. If nothing is provided, the current working directory will be used.

Flags:

e, --exclusions Optional
- Specify which files or paths you don't want to include in the callgraph. The following terms are supported to exclude paths:
  Term
  Meaning
  *
  matches any sequence of non-Separator characters
  /**/
  matches zero or multiple directories
  ?
  matches any single non-Separator character
  [class]
  matches any single non-Separator character against a class of characters ([see "character classes"])
  {alt1,...}
  matches a sequence of characters if one of the comma-separated alternatives matches
Examples: -e "**/target/test-classes/**", -e "*\\test.class"
You can use this command to ignore multiple terms. For example: debricked callgraph -e "**/target/test-classes/**" -e "*\\test.class"
--no-build Optional
- Do not automatically build all source code in the project. This option requires a pre-built project/available .class files.
--generate-timeout Optional
- Sets a timeout (in seconds) on the call graph generation.
- Default: If you don’t provide this parameter, it will be set by default to 3600 (1 hour).

Command Details:

The command can be divided into three main steps:

Build project
- build project based on the root pom.xml. If no root pom.xml is found, all pom.xml files will be built individually.
```
$ mvn package -q -DskipTests -e
```
- a successful build will generate the necessary .class files

Copy external dependency files to .debrickedTmpFolder in the root pom.xml directory

$ mvn q -B dependency:copy-dependencies -DoutputDirectory=/path/to/root/.debrickedTmpFolder -DskipTests -e

Generate call graph
- Uses a built version of the Debricked vulnerable functionality project to identify all .class files and map those to the root pom.xml, using the same path as .debrickedTmpFolder
  $ java -jar path/to/built/file/java/common/target/SootWrapper.jar -u path/to/root/target/classes/ -l /path/to/root/.debrickedTmpFolder -f .debricked-call-graph
- The generated call graph output is stored in the base64 encoded zip file .debricked-call-graph

The callgraph command requires at least java11. If your project cannot be built with java11, we would recommend you to build your project in your environment before running the command and use --no-build flag when generating the call graph.

Common Errors:

Build failures
- These are likely due to local configurations. If the build step fails, it is recommended to build your project as usual in your environment and skip step 1 above, i.e. just copy external dependencies to .debrickedTmpFolder and run debricked callgraph --no-build on your built project. Make sure all .class files are available.

Callgraph failures

out of memory

cp dependencies

* Critical:
	|Command 'mvn -q -B dependency:copy-dependencies -DoutputDirectory=/path/to/root/.debrickedTmpFolder -DskipTests' executed in folder '/path/to/root/' gave the following error: 
	|[ERROR] Failed to execute goal on project <project-name>: Could not resolve dependencies <deps>

mapping dependencies

* Critical:
	|Command 'java -jar path/to/built/file/java/common/target/SootWrapper.jar -u path/to/root/target/classes/ -l /path/to/root/.debrickedTmpFolder  -f .debricked-call-graph' executed in folder '/path/to/root' gave the following error: 
	|
	|Running SootWrapper version 5.0
	|SLF4J: Failed to load class "org.slf4j.impl.StaticLoggerBinder".
	|SLF4J: Defaulting to no-operation (NOP) logger implementation
	|SLF4J: See <http://www.slf4j.org/codes.html#StaticLoggerBinder> for further details.
	|Error: Found no entry points. Do path(s) to user code contain compiled user code?

If you see the error above, make sure all .class files are available in the right path and that all external dependencies have been copied to .debrickedTmpFolder

fingerprint

debricked fingerprint [[path] [flags]]
debricked fingerprint –help to see all the options.

Fingerprint files for identification in a given path and write it to debricked.fingerprints.txt. This hashes all files to be used for matching against the Debricked knowledge base.

Path:

Use the path argument to specify the project path. If nothing is provided, the current working directory will be used.

Flags:

e, --exclusions Optional
Specify which files or paths you don't want to include when fingerprinting. The following terms are supported to exclude paths:
Term
Meaning
*
matches any sequence of non-Separator characters
/**/
matches zero or multiple directories
?
matches any single non-Separator character
[class]
matches any single non-Separator character against a class of characters ([see "character classes"])
{alt1,...}
matches a sequence of characters if one of the comma-separated alternatives matches
Examples: -e "/.pyc", -e "*\\\\test.class", -e "**/target/test-classes/**"
You can use this command to ignore multiple terms. For example: debricked fingerprint -e "/node_modules/" -e "/.egg-info/" -e "/*venv/**"
By default, the following are ignored: /nbproject/,/nbbuild/,/nbdist/,/node_modules/,/pycache/,/_yardoc/,/eggs/,/wheels/,/htmlcov/,/pypackages/,/.egg-info/,/venv/*
-fingerprint-compressed-content Optional
Fingerprint the contents of compressed files by unpacking them in memory, Supported files: [.jar .nupkg .war] default: false

auth

You can authenticate to the Debricked service using this command. Following are the different commands:

debricked auth login to authenticate with your Debricked user.
debricked auth logout to log out an authenticated Debricked user.
debricked auth token to retrieve access token for use in the Debricked API.
debricked auth –help to see all the options.

6. Troubleshooting and error messages

Below you can find the list of some of the most common error messages. If the problem persists and you can’t solve it for yourself or have additional questions feel free to reach contact our support team.

⨯ Unauthorized. Specify access-token. 
Read more at https://debricked.com/docs/administration/access-tokens.html

This error message appears when the access-token is missing or if you provide an invalid access token. For more information, see the `-t -- access-token` command.

Error: required flag(s) "email" not set

This error message appears when you run the `debricked report vulnerability/license` command without a valid email address. To resolve this, use the `--email, -e` [options] to set an email the report should be sent to. For example: `debricked report license -t “<token>” –email ”usuario1@gmail.com”`

Error: ⨯ No commit was found with the name

This error message appears when you run the `debricked report vulnerability/license` command but the CLI can’t find the commit. To resolve this, use the `--commit, -c` [options] to provide a commit hash.

For example: `debricked report license -t “<token>” –email ”usuario1@gmail.com” –commit 044bdc7c22e46be010969e9360dbe679830100f1`

Error: required flag(s) "commit" not set

This error message appears when you run the `debricked report vulnerability/license` command without any commits. To resolve this, use the `--commit, -c` [options] to provide a commit hash.

For example: `debricked report license -t “<token>” –email ”usuario1@gmail.com” –commit 044bdc7c22e46be010969e9360dbe679830100f1`

Error: invalid directory path specified: "~/Desktop/../../EasyApp"

This error message appears when the scan can't find any valid directory in the path. To resolve it, check if the path provided is correct.

Error: ⨯ failed to find repository name

This error message appears when we can't fetch the repository name. To fix this, set a name for the repository, using the -r flag.

6.1 Getting support

If you need help, contact us via our live chat, open Monday-Friday 9 am-5 pm CET, or email support@debricked.com.

Uninstallation

The only thing that is needed to uninstall is to remove the binary - the file called debricked or debricked.exe depending on your operating system.

6.2 Create an issue or report a bug

Before creating an issue or reporting a bug, make sure to contact support and discuss the issue or feedback with us first.

If you want to create an issue or report a bug you can do it directly by submitting an issue via GitHub.

6.3 Upgrading from version 1.X.X to version 2.0.0

The 2.0.0 release contains some breaking changes, documented below:

6.4 Contributors

If you'd like to contribute directly to the project, check out our guide. Keep in mind that it might take us some time to answer your questions. For a better experience, we recommend joining our Portal community, where you can learn more about Debricked, improve the way you use open source, and help others.

Feel free to reach out to any of the maintainers or other community members if you have any questions.

https://github.com/debricked/cli/blob/main/examples/templates/GitHub/debricked.yml

name: Debricked scan

on: [push]

jobs:
  vulnerabilities-scan:
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@v4
      - uses: debricked/actions@v4
        env:
          DEBRICKED_TOKEN: ${{ secrets.DEBRICKED_TOKEN }}

https://github.com/debricked/cli/blob/main/UPGRADE-2.0.md

# Upgrade from 1.X.X to 2.0.0

## Changed behaviours
- Changes default strictness of resolve command to 1 (Exit with code 1 if all files failed to resolve, otherwise exit with code 0 instead of always exiting with code 0)
- File Fingerprint analysis is on by default for all repositories which starts with the letters "A-C" (starting from v2.1.4 it is default for all repos). This range will be increased in future minor/patch releases.
- Added inclusion option to commands to force include patterns which are by default ignored by the CLI
- Refactored how exclusion works for fingerprinting to align it with the rest of the CLI, this includes a breaking change for windows where Unix path separators must be used in patterns.

## Runtime upgrades

- Base Docker images have been upgraded from Go 1.21 to 1.22
- In Docker resolution images, the following runtimes have been updated:
   - Upgrade Java from OpenJDK 11 to 21
   - Upgrade Maven from 3.9.2 to 3.9.6
   - Upgrade Gradle from 8.1.1 to 8.7
   - Upgrade Node from 18 to 21
   - Upgrade dotnet from 7.0 to 8.0
   - Upgrade Go from 1.21 to 1.22
   - Upgrade PHP from 8.2 to 8.3
- Debian Docker images have been upgraded from Bullseye (11) to Bookworm (12)

Debricked Documentation

Debricked Documentation

First Setup

Integrating with Debricked

Debricked's Tools

The Debricked Fundamentals - webinar recording

Need more help?

Overview

Running Debricked

Frequently asked questions (FAQ)

Is Debricked’s service on prem or SaaS?

What type of scanning does Debricked do?

How accurate is the service in finding a vulnerability?

Debricked has found a wrong dependency. What should I do?

What is meant by “increased computation” for enterprise customers?

To what extent can root fixes break the code?

How long do I need to wait to before requesting a second password reset?

Is there a way to restrict what repositories certain users can see?

Is it possible to extract a pie chart or other visualization of the identified licenses and dependencies?

What do we classify as a “scan”?

Does Debricked run on a PC, or does it upload data to your servers?

How do you distinguish between frequent and sporadic contributors?

What measures does Debricked implement to prevent and detect vulnerabilities?

Where is Debricked’s data stored?

Where is Debricked’s office located?

Upgrade your account

Language support

Supported file formats and features

C# - Nuget, Paket

File fingerprinting

Supported file formats and features

Product

Tools & Integrations

Frequently asked questions (FAQ)

Is Debricked’s service on prem or SaaS?

What type of scanning does Debricked do?

How accurate is the service in finding a vulnerability?

Debricked has found a wrong dependency. What should I do?

What is meant by “increased computation” for enterprise customers?

To what extent can root fixes break the code?

How long do I need to wait to before requesting a second password reset?

Is there a way to restrict what repositories certain users can see?

Is it possible to extract a pie chart or other visualization of the identified licenses and dependencies?

What do we classify as a “scan”?

Does Debricked run on a PC, or does it upload data to your servers?

How do you distinguish between frequent and sporadic contributors?

What measures does Debricked implement to prevent and detect vulnerabilities?

Where is Debricked’s data stored?

Where is Debricked’s office located?

Running Debricked

Debricked Documentation

First Setup

Integrating with Debricked

Debricked's Tools

The Debricked Fundamentals - webinar recording

Need more help?

Upgrade your account

C# - Nuget, Paket

File fingerprinting

Supported file formats and features

Language support

Supported file formats and features

Getting started

Java & Kotlin - Gradle, Maven, Bazel

Gradle

Maven

Bazel

File fingerprinting

Supported file formats and features

CycloneDX SBOM

Supported file formats and features

Analyzing external SBOM files using Debricked - video guide

Objective-C - CocoaPods

Supported file formats and features

Create a Debricked account

Sign up with email​​​​​​​

Sign up using GitHub SSO

Administrator role

Help

Unable to access live chat

Sign up with email