Palamida AutoExpert™ Rules
A continuously updated and increasing set of detection rules make analysis of scan results increasingly automated. Palamida creates rules based on human analysis of the most commonly used Open Source projects and via automated analysis of repositories. Over 1.2M rules are available today. Users can also create their own rules to automate reporting of items which are unique to their projects.
A file hash is compared against known OSS file hash values from the Palamida compliance library and matches are reported in the file tree as exact matches. Once a file is selected for further analysis, components and versions of Open Source projects that match the selected file are displayed. In addition, string, copyright, license text, and email/URL detectors are available for text that survives compilation. Increasingly, scan results with exact matches are analyzed automatically.
Files are scanned for text that matches patterns typically used to express copyrights. After the scan, copyrights are displayed in list form. Individual copyrights can then be selected and the file containing them can be viewed. The detected copyrights are highlighted.
Specific text is often a good indicator of third party code. For example “taken from” is an obvious signal for further investigation. Once detected, the strings are displayed in list form so that the analyst can view the files. String results are highlighted when viewing the file contents.
Specialized features make analysis of Java code efficient and productive. By clicking on the namespace tab, the file tree displays compiled namespaces which is useful for finding license issues within JARs by making it easier to view the origin of JAR files. After analysis, results are published for review, and a variety of reports are available.
Comprehensive Info, Timely Notification
Vulnerability information is visible throughout the product, including during review of scan results, during component search, as part of request to use, and in multiple reports.
Palamida also tracks projects throughout their lifecycle and provides vulnerability alerts in the form of email updates for new vulnerabilities that are reported for Open Source components in use within shipping or deployed projects for which the scan and analysis work is completed.