On 26/1/22 11:31 pm, Kirk Wolf wrote:
Good companies have policies and processes for approving any open source used internally. What's the alternative, write everything from scratch? Surely there will be no vulnerabilities there:-)
It's company policy where I work to perform code scans using Synopsis tools such as Black Duck and Polaris. These tools scan for license issues, vulnerabilities, compliance etc. Polaris is so sophisticated it flagged a violation because it had detected I was using an SSLSocket without verifying the peer hostname. These scans are run in our DevOps pipeline every time we merge into our development branch or master.
---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
