LFX Security is a comprehensive service designed to assist open-source developers in identifying and addressing security vulnerabilities in their code, ultimately creating more secure software. This service also detects sensitive information, such as code secrets, and non-inclusive language within codebases.
If your project is in the Linux Foundation database, LFX Security will scan your code weekly. Detected vulnerabilities are added to your project dashboards and classified as critical, high, medium, or low risk using databases like CWE, CVE, and GHSA. You'll get an inventory of dependencies and licenses, including their details. LFX Security also scans for code secrets and non-inclusive language.
To understand more about this, please refer to NVD.
LFX Security fetches the permissions from GitHub and maps those permissions into the following categories:
Owner/Admin -> GitHub admin permissions
Maintainer -> GitHub maintains permissions
Contributor -> GitHub triage, push, pull permissions.
These users are given elevated Contributor/Maintainer permission. They can dismiss irrelevant vulnerability issues, send notifications, and mark issues as false positives.
Dependency and vulnerability scanning is currently supported for JavaScript, Node.js (npm), Java, Scala, Ruby, Python, Golang, and PHP.
The Security Leaderboard displays two key metrics: "Vulnerabilities Fixed" and "Top 10 projects most active in fixing vulnerabilities." While these counts should ideally be equal, they often differ due to a specific reason.
Key Points:
• "Vulnerabilities Fixed" count: Represents the total number of unique (distinct) vulnerabilities found across all scanned projects.
• "Top 10 projects most active in fixing vulnerabilities" count: Shows the total number of unique vulnerabilities fixed in the top 10 projects, which may include repeated vulnerabilities from other projects.
Why the Mismatch?
The discrepancy arises from the repetition of vulnerabilities in multiple projects. When these repeated vulnerabilities are counted, the aggregate total is higher than the distinct "Vulnerabilities Fixed" count.
LFX Security uses Snyk to scan a project’s Git-based repository and identify dependencies’ licenses against the SPDX license list. License identification varies by ecosystem, but generally, it is done by reviewing the stated license on the package, retrieving metadata from the registry, and license information in manifest files.
For LFX Security, we are partnering with a few solutions providers where it makes sense. For example, projects can choose to allocate funds raised through the LFX Funding service to administer bug bounty programs through a partnership with HackerOne. Snyk provides daily vulnerability scanning for all projects on LFX (Funding and Mentorship) to identify vulnerabilities and dependencies — and to help manage Internet Protocol (IP) risk with license verification.
LFX Security helps projects manage their intellectual property (IP) obligations in two key ways:
Dependency License Scans
Automatic dependency scans: All projects in LFX Security receive automatic dependency license scans, providing a comprehensive view of direct and indirect third-party dependencies.
License association: Snyk associates licenses with libraries and packages, giving maintainers a clear understanding of the third-party licenses their project relies on.
Compliance and decision-making: This reporting enables projects to:
Determine whether to avoid dependencies with incompatible licenses
Identify compliance obligations for used dependencies
Reproduce necessary license notices when distributing dependencies
EasyCLA (Contributor License Agreement) Service
The Linux Foundation's EasyCLA service addresses the challenges of ensuring contributors assign IP rights to open-source projects. Key features include:
Corporate authority handling: EasyCLA requires corporate agreements to be signed by authorized signatories, enabling companies to control contributor access.
Fine-grained authorization: Companies can specify individual contributors or authorize all employees across a domain name.
Workflow facilitation: EasyCLA ensures code contributions meet requirements, streamlining workflows and ensuring contributor satisfaction.
Availability and Future Plans
The EasyCLA service is initially available to Linux Foundation-hosted projects, with plans to expand to a broader set of projects, including those on LFX Security.
The license information is displayed as "Unknown" when the Snyk API cannot find license information and returns an "unknown" value to LFX Security.
When the License field is blank, the license information will be displayed as empty. The Snyk API will not be able to retrieve any license details, resulting in the absence of license information.