Source Code Review
All source code is maintained and secured within Github (https://github.com) and each source code repository has Dependabot Alerts enabled.
Dependabot is a technology that detects vulnerable dependencies and sends alerts when:
- A new vulnerability is added to the GitHub Advisory Database. The GitHub Advisory Database contains a curated list of security vulnerabilities. Vulnerabilities are added to the GitHub Advisory Database from the following sources:
- The National Vulnerability Database
- A combination of machine learning and human review to detect vulnerabilities in public commits on GitHub
- Security advisories reported on GitHub
- The npm Security advisories database
- New vulnerability data from WhiteSource is processed. WhiteSource is the worlds largest open source vulnerability tracking database. https://www.whitesourcesoftware.com/vulnerability-database/
- The dependency graph for a repository changes. For example, when a contributor pushes a commit to change the packages or versions it depends on, or when the code of one of the dependencies changes
Additionally, GitHub allows the team to review any dependencies added, updated, or removed in a pull request made against the default branch of a repository, and flag any changes that would introduce a vulnerability into the project. This allows the team to spot and deal with vulnerable dependencies before, rather than after, they reach the codebase.
VersaFile also maintains partnerships with SAP, IBM and other software companies we integrate with. As part of our partner agreement with these vendors, as we are updated to security issues. These issues are evaluated by the team to see if VersaFile code is affected. If it is, fixes are planned and applied as per our release schedule.
