|
|
|
|
|
|
by jwn
3549 days ago
|
|
|
I'm not sure what you mean by #1, the builds are as reproducible as the build system being used. For #2, SourceClear doesn't build the software under test, it's hooked into the build via various methods. For Maven and Gradle, those are plugins. For NPM and Bundler, the existing build files contain the complete dependency graphs as determined by the build system. The analysis is quite accurate, I daresay more so than any other tool. Yes, it requires implementation work for each build stack, but that's the price you pay for accuracy. In response to your #3, SourceClear doesn't report only vulnerabilities verified by call paths, it reports on all components will known vulnerabilities and denotes if a call path was found. Disclaimer, I'm a Co-Founder and have spent a great deal of time writing scanning code. |
|
|