Deepfactor Release 3.3 Overview
In Release 3.3 of Deepfactor Developer Security, we have made significant enhancements to the platform’s artifact scanner and runtime correlation to help users prioritize SCA findings. Users can now export the scan results in multiple formats including SPDX, as well as gate builds using exit code. We have also launched our cloud SaaS platform— users can now easily sign up for, and get value from, Deepfactor within minutes.
For additional details on 3.3 release, please review the Release Notes in Deepfactor Docs.
Release 3.3 Highlights
|· Multi-tenant Cloud SaaS platform.
|· Improved user management capabilities such as change user role, delete user and revoke user tokens.
· Improved authentication/authorization mechanism to access Deepfactor APIs
|· Support for Oracle Linux version 8.5
· Support for Rocky Linux
· Support for K8s version 1.24, 1.25, 1.26 and 1.27
· Reporting of stack traces for application using Python version 3.11
|SBOM, SCA & Container Scans
|· Added SPDX report format support
· Configurable exit code, which can be used to gate builds in CI/CD pipeline
· Exploits-in-the-wild information for vulnerabilities as another metric for prioritization
· Classification of transitive and direct dependencies along with root dependency information
|· Runtime usage of Python and NodeJS dependencies to prioritize SCA findings
|· Added multiple runtime security alerts that look for anomalous behavior.
Release 3.3 Details: Key Features Added
- Multi-tenant Cloud SaaS platform: We launched our multi-tenant cloud SaaS platform making it very easy for users to signup and experience the capabilities Deepfactor offers. Users can sign up for a free trial here.
- SPDX support: Users can now export their SBOM in SPDX format from the CLI as well as API and UI. We also now allow users to generate multiple reports in different formats for a single scan.
- Gate builds: dfctl scan now return a configurable exit code if the scan output results in at least one policy violation. Users can specify thresholds for CVSS score and vendor severity. They can also specify a list of disallowed license regexes to get alerted if a dependency with an undesired license is added.
- Exploit information: Deepfactor now pulls exploit information from different sources such as exploit-db, CyberSecurity Infrastructure and Security Agency (CISA) and PoCs in Github and shows it for the vulnerabilities associated with the user’s applications. This serves as another metric users can utilize to prioritize which vulnerabilities to address first.
- Runtime usage of Node.js and python applications: Deepfactor helps developers and AppSec teams prioritize which vulnerable dependencies to fix first by providing runtime usage information of dependencies. In this release, we have now extended that support to Node.js and python applications.
- Classification of transitive and direct dependencies: Modern software applications have complex SBOMs with several direct dependencies (included by your developers) importing further dependencies and those dependencies bringing more dependencies resulting in a n-depth tree. If a sub-dependency is vulnerable, developers can’t directly update them. They need to know which direct dependency is responsible for bringing in the vulnerable sub dependency so they can upgrade the direct dependency. Deepfactor not only identifies which dependencies are transitive but also the direct dependency which brought in the sub dependency.