“Shazaming” software libraries for versions, licenses and security
People love “Shazam” and similar services to instantly know what song is currently playing and who is the singer and author.
VersionEye adopted this concept to Open Source Software!
Best software development practice is to leverage software package managers such as Maven or NPM to properly manage 3rd party open source dependencies.
But in reality this is not always the case and many enterprise projects still store them in “lib” directories without further documentation.
So, who finally knows components like “beanutils.jar”?
And more important: which version + software license does it have and are there potential known security vulnerabilities?
The VersionEye API can automatically identify such components by SHA values and send you the exact GroupId, ArtifactID and Version which allow you to also instantly retrieve:
- VERSION,
- LICENSE and
- potentially known SECURITY vulnerabilities
from the huge VersionEye database.
The veye_checker makes this process now almost as easy as “shazaming songs”
even for hundreds of components simultaneously.