Hello,

I think I have to add my 5 cents. There are commercial (ironically proprietary) products on the market which analyze the software and build a list of open source dependencies.

Then, based on this list of open source dependencies, they build a list of vulnerabilities which might be presented in the analyzed software.

Example of such tool: https://www.blackducksoftware.com/solutions/application-security (Check "Manage Open Source vulnerabilities")

2017-07-26 23:51 GMT+03:00 Hugo Roy <hugo@fsfe.org>:

Thank you Bastien, this is interesting and helpful.

Does anyone has interesting articles about recent vulnerabilities
discovered in free software?

Best,
Hugo

↪ Bastien Guerry / juillet 26, 2017 15:50:

Hi Hugo,

Hugo Roy <hugo@fsfe.org> writes:

Any case studies on how the world dealt to react quickly and update
systems in reponse to Heartbleed for instance?

I remember blackduck had some reports comparing FLOSS/non-FLOSS with
respect to their security, I found this, but I’m sure there are more
detailed documents:

https://info.blackducksoftware.com/rs/872-OLS-526/images/OSSAReportFINAL.pdf

Also, a bit older, but with more data:
http://go.coverity.com/rs/157-LQW-289/images/2014-Coverity-Scan-Report.pdf

I’m not a specialist at all, and all these sources must be read with
a grain of salt, because authors are often not neutral.

HTH,

--
Bastien

_______________________________________________
Discussion mailing list
Discussion@lists.fsfe.org
https://lists.fsfe.org/mailman/listinfo/discussion

WBR & WBW, Vitaly