Overwhelmed by the sheer number of results legacy Software Composition Analysis (SCA) tools generate? Oxeye helps you focus on exploitable open source and third party package vulnerabilities, so that you can prioritize your remediation efforts.
We do this by identifying and showing you which packages are loaded and used, and which ones are accessible from the Internet.
If A Vulnerability Can't be Exploited, is it Really a Vulnerability?
Legacy SCA tools identify vulnerabilities in open source packages using a two-step process:
1. Scan and identify open source packages in package managers, source code, binary files, container images, etc., which are placed into a Software Bill of Materials (SBOM) 2. Compare this SBOM against a number of databases that usually include the National Vulnerability Database (NVD) to identify vulnerable packages
The result? A huge list of all possible vulnerabilities, without any context. These tools don't distinguish among the following three buckets: