Modern software projects are made up of tens or hundreds of open-source software (OSS) components. While this frees development teams to focus on core business logic, OSS components inject risk into applications. The log4shell and Spring4Shell zero-day vulnerabilities have highlighted the importance of understanding which versions of which OSS components are in use, and whether the included versions have any reported vulnerabilities against them. Without some level of automation, tracking these open-source components is a tedious and error-prone process.
In addition, customers are...