Tool name: SecObserve #82
Description
homepage_url
https://secobserve.github.io/SecObserve/
contact_email
code_view_url
https://github.com/SecObserve/SecObserve
spdx_license_expression
BSD-3-Clause
description
SecObserve is an open source vulnerability and license management system for software development teams and cloud environments. It supports a variety of open source vulnerability scanners and integrates easily into CI/CD pipelines.
primary_languages
Python/Django, TypeScript/React
short_term_roadmap
- Support for multi-level assessments of vulnerabilities in products based on platforms
- Prioritisation of vulnerabilities based on CVSS, EPSS and exploitiblity information
- More flexible notifications for new vulnerabilities
- More flexible rules and policies, possibly integrating Open Policy Agent
- Support for ScanCode and OSS Review Toolkit
- Support more vulnerability scanners, e.g. for cloud infrastructure like Kubernetes
long_term_roadmap
A long-term roadmap is not yet defined. It will heavily depend on requirements of the users.
proprietary_data
- Yes, the tool depends on proprietary data sources
commercial_features
- Yes, the tool has a commercial version with different/additional features
capabilities
- Identifiers - Use Package-URL (PURL) identifiers
- Identifiers - Use SPDX license expressions
- Scanning - Analyze package manifests and lockfiles
- Scanning - Analyze package files
- Scanning - Scan for copyright
- Scanning - Scan for license
- Scanning - Analyze source code
- Scanning - Analyze containers
- Scanning - Analyze installed system packages (linux distros)
- Scanning - Analyze installed application packages
- Scanning - Other analysis
- Packages - Inventory packages
- Packages - Inventory packages dependencies
- Packages - Resolve dependencies
- Packages - Navigate or display dependency graph
- Compliance - Generate CycloneDX SBOMs
- Compliance - Generate SPDX SBOMs
- Compliance - Validate CycloneDX SBOM
- Compliance - Validate SPDX SBOMs
- Compliance - Generate CycloneDX VEX
- Compliance - Generate CSAF VEX
- Compliance - Generate OpenVex
- Compliance - Generate other compliance documents
- Policies - Define and check license policies
- Policies - Define and check security policies
- Policies - Define and check other policies
- Data - Database of Package metadata
- Data - Database of Package dependency relationships
- Data - Database of License obligations
- Data - Database of Licenses
- Data - Database of Vulnerabilities
- License - Help triage license issues
- License - Generate license credit and attribution notices
- License - Generate source code redistribution lists
- Vulnerabilities - Detect vulnerable code in packages
- Vulnerabilities - Find known vulnerabilities for package
- Vulnerabilities - Determine reachable vulnerabilities
- Vulnerabilities - Help triage vulnerabilities
- Binaries - Analyze binaries
- Binaries - Analyze ELF binaries
- Binaries - Analyze Windows binaries
- Binaries - Analyze firmware binaries
- Binaries - Analyze Other binaries
- Matching - Match source code
- Matching - Match binary code
- Tracing - Trace code execution
- Tracing - Trace build
- Code Security - Analyze code statically (SAST/linting)
- Code Security - Analyze code dynamically (DAST)
- Download - Source package
- Download - Source repositories
- Download - Binary package
- Deployment - Deployable as containers (Docker/OCI/k8s/etc)
- Deployment - Deployable in CI/CD pipelines
- Deployment - Deployable as a library
- Run - Run as a command line tool
- Run - Run as a web application
- Run - Run as an API service
other_capabilities
Ingest the results of various vulnerability scanners (SAST, DAST, SCA, secrets, cloud infrastructure)