Getty Images

Endor Labs ships Java 'Magic Patches' with SCA tools

Upgrade impact analysis and backported fixes will help one enterprise customer make a major Java upgrade manageable and keep compliant with FedRAMP.

Updates shipped by Endor Labs to its SCA tools this week assess the risks of remediating software supply chain security vulnerabilities and offer a less painful alternative with backported patches for Java packages.

The Endor Labs Open Source product, which performs source code analysis (SCA), models open source software dependencies and generates software bill of materials (SBOM), now includes upgrade impact analysis. This feature presents a list of open source package security vulnerabilities Endor finds in production application environments, with severity ratings and information about whether upgrading to patched versions will introduce breaking changes.

When the risk of such breaking changes is too great to proceed, Endor will now provide what it calls "Magic Patches," versions of vulnerability fixes released upstream backported to work with previous releases of a package.

"We're starting with Java, because we did a survey on where the biggest problems are for customers, where they're having the most difficulty upgrading," said Jenn Gile, director of product marketing at Endor Labs. "We found it's actually a fairly small number of Java packages that cause a lot of issues, so we're focused there first."

However, Endor plans to add backported packages for software libraries in other languages "on a case-by-case basis" depending on what customers need, Gile said.

Informatica taps Endor to soothe Java upgrade pain

Data management vendor Informatica is among the Endor Labs customers experiencing Java upgrade pain. The company began using Endor Labs SCA tools about a year ago, starting with reachability analysis to get a better sense of the company's software inventory and its open source dependencies, according to Pathik Patel, head of cloud security at the company.

Pathik Patel, head of cloud security, InformaticaPathik Patel

"That's their secret sauce, which they solved from ground up -- it's not a bolt-on, like others," Patel said. "We looked at two other tools. Even though they claim [otherwise], their rate of false positives was very high, so we were not able to trust them."

Patel did not name the other two vendors he evaluated, but Endor Labs claims its program analysis techniques based on static call graphs makes its reachability analysis more detailed and effective than competitors in determining the impact of vulnerabilities in specific application environments.

Patel said he expects Endor's upgrade impact analysis feature will help development teams get through a major upgrade from Java 8 to Java 22, by assessing which aspects of the upgrade the team should do first and which will be difficult based on how the company's applications are using Java software packages, including transitive dependencies.

Developers are hesitant to upgrade because they don't know the impact for the rest of the folks [at the company] who are using the same library.
Pathik PatelHead of cloud security, Informatica

"If you look at very popular Java libraries, they provide a lot of functionality, but developers are typically just using one of them," Patel said. "When these kinds of things are there in the codebase, developers are hesitant to upgrade because they don't know the impact for the rest of the folks [at the company] who are using the same library."

Endor Labs SCA tools helped Informatica determine what its thorniest upgrades will be and get a more precise estimate of how long they will take. Initially, internal estimates of the time required to do the upgrade was two years of work-hours -- now, developers can estimate the specific number of three-month release cycles required.

Informatica hasn't used Endor's Magic Patches yet, but they could be useful when the time required to upgrade package versions runs afoul of FedRAMP requirements that mandate fixes within fixed time periods of 30, 60 or 90 days, he said.

Endor Labs Change Impact Analysis and Magic Patches
Endor Labs' SCA tools now include analysis of how difficult fixing open source vulnerabilities will be, and offers a quicker alternative called Magic Patches.

SCA tools evolution intensifies

SCA tools have evolved quickly from static scans of codebases into broader software supply chain security platforms in recent years amid high-profile supply chain attacks, said Janet Worthington, an analyst at Forrester Research.

"Two years ago, people were so excited when an SCA tool could generate an SBOM," Worthington said. "Now that's not enough anymore -- they have to be able to generate it in multiple formats. They have to be able to ingest an SBOM from another third party."

Endor Labs plans further expansion into artifact signing, now in beta and expected to become generally available in the next few weeks. Patel said he's starting to test that feature as a means to associate specific portions of open source libraries to the developers at the company responsible for fixing vulnerabilities.

This is something Informatica currently does by tagging builds as they move through CI/CD pipelines, but getting them to the right person often involves service management tickets "bouncing back and forth," sometimes for days, he said.

"In the end, it finds the right person and works out, but if you have only 30 days to fix it, and this ticket bouncing happens for four to five days, you have already lost one week," Patel said.

Other SCA tools offer forms of upgrade impact analysis, such as Mend.io's Merge Confidence feature, Lineaje's BOMbots, Snyk's Risk Score and Moderne's DevCenter. A few, such as Snyk, Seal Security and Moderne, can automatically remediate or generate backported patches for some open source libraries -- Snyk's patches currently support Node.js only.

"This is the direction software composition analysis should go in," Worthington said. "Now that we have AI, you should be able to use some of these tools to do a mock upgrade, run it, see if it breaks in tests."

Another analyst, however, sounded a note of caution about long-term use of backported patches.

"These backported patches shouldn't be seen as a permanent fix, as it can create more long-term problems to stay on an older, unsupported or vulnerable version indefinitely," said Katie Norton, an analyst at IDC.

But for now, Endor won't put a time limit on how long its Magic Patches will be supported, according to Gile.

"We took a look in particular at the customers we have that are using Spring, and we found 82% of them are using something in the Spring 5 series that came out in 2020," she said. "There's certainly a scenario where they might say, 'You know what, we're never going to upgrade this, because it's terrifying,'… they may be building a totally different … environment that doesn't rely on those old dependencies, so it may be more of a long-term migration strategy."

Beth Pariseau, senior news writer for TechTarget Editorial, is an award-winning veteran of IT journalism covering DevOps. Have a tip? Email her or reach out @PariseauTT.

Dig Deeper on Software development lifecycle