Vulnerability Detection FAQs

What is CommunityBridge Vulnerability Detection?

CommunityBridge Vulnerability Detection is a service that helps open source developers identify and remediate security vulnerabilities in order to create more secure code. Projects that are part of the Linux Foundation's SFDC (Sales Force Dot Com) database receive free daily scans via the CommunityBridge Vulnerability Detection service in order to detect vulnerabilities in code repositories as well as library dependencies. A public dashboard gives developers visibility into open security issues and paths to remediation.

Does CommunityBridge automatically scan my project’s code?

Yes, if your project is set up on Linux Foundation's SFDC (Sales Force Dot Com) database, then CommunityBridge Vulnerability Detection automatically scans your code on a daily basis, and adds any detected vulnerabilities to your project dashboards. Issues are classified as high, medium, or low risk based on information in databases including CVE and CWE. An inventory of your project’s detected dependencies and licenses is mapped along with the dependency details.

Who can see Vulnerability reports?

Only maintainers and contributors can see details of a vulnerability scan. However, because these projects are on public repositories, anyone can see the vulnerability summary that shows the total number of issues.

What languages and programming ecosystems are supported for scanning?

Dependency and vulnerability scanning is currently supported for JavaScript, Node.js (npm), Java, Scala, Ruby, Python, Golang, and PHP.

How are licenses identified?

CommunityBridge Vulnerability Detection uses Snyk to scan a project’s Git-based repository and identifies dependencies’ licenses against the SPDX license list. License identification varies by ecosystem, but generally is produced via a combination of the stated license on the package, retrieving metadata from the registry, and detecting license information in manifest files.

What partners support the CommunityBridge Vulnerability Detection service?

For CommunityBridge Vulnerability Detection, we are partnering with a few solutions providers where it makes sense. For example, projects can choose to allocate funds raised through the CommunityBridge Funding service to administer bug bounty programs through a partnership with HackerOne. Snyk provides daily vulnerability scanning for all projects on CommunityBridge (Funding and Mentorship) to identify vulnerabilities and dependencies — and to help manage IP risk with license verification.

How does CommunityBridge help a project manage its intellectual property obligations?

First, CommunityBridge automatically provides all projects using CommunityBridge Vulnerability Detection with access to dependency license scans. CommunityBridge provides a project and its maintainers with visibility into the full tree of direct and indirect third-party dependencies that Snyk detects as leveraged by the project, along with reporting the licenses Snyk associates with those dependencies. This reporting gives maintainers a simple, lightweight and zero-effort view into the array of third-party licenses that their project relies upon. It helps enable projects to make determinations about whether to avoid particular dependencies — for example, if their licenses might be incompatible with the project’s own license, IP policies and community objectives. It also helps projects identify their compliance obligations for the dependencies they use — for example, which license notices they need to reproduce when they distribute those dependencies.

Second, the Linux Foundation’s new CLA service tackles the difficult problem of ensuring that Contributor License Agreements are utilized appropriately by projects that require them. The new CLA service handles corporate authority considerations by requiring corporate CLAs to be signed by an authorized signatory of a company. It enables companies to control which of their employees are authorized to contribute to which projects under the signed CLAs. Depending on their own needs and processes, companies can take a fine-grained approach by specifying individual authorized contributors’ email addresses, or can easily authorize all employees across a domain name. The CLA service facilitates all these workflows and ensures that code contributions can only be accepted after the contributor satisfies the CLA requirements. Although the CLA service is initially available to Linux Foundation-hosted projects, we hope to make it available to a broader set of projects, including those on CommunityBridge.