Open Source Security

Tuesday, December 16, 2025

Comparing different approaches for listing software dependencies and their licenses

It's a useful thing to be able to list all third-party software dependencies used in a project, along with their versions and licenses. ...

Thursday, March 7, 2024

Improving license detection when generating SBOMs

I blogged last year about generating a Software Bill of Material (SBOM) for an Apache Maven project using the cyclonedx-maven-plugin. It...

Monday, October 23, 2023

CVE-2023-44483 in Apache Santuario - XML Security for Java

A new CVE has been published for the recent Apache Santuario - XML Security for Java releases (4.0.0, 3.0.3, 2.3.4 and 2.2.6): CVE-2023-444...

Tuesday, October 10, 2023

Publishing SBOMs for open-source projects

Software Bill of Materials (SBOMs) are a recent hot topic, in part due to an executive order by the US government which references making a...

Friday, April 14, 2023

Open Source Software Composition Analysis

Software Composition Analysis (SCA) is the process of figuring out which third-party dependencies are used in your project. It's an esse...

Thursday, March 16, 2023

OpenSSF Allstar

In the previous blog post , I looked at how to use OpenSSF Scorecard to improve the security posture of your open-source GitHub projects. T...

Tuesday, February 21, 2023

OpenSSF Scorecard

OpenSSF Scorecard is a tool that assesses your project against a number of security best practices and assigns a score (out of 10). It is a...

View web version

About Me

Colm O hEigeartaigh: Senior principal software engineer at Talend. Active committer on lots of Apache projects such as Apache Santuario, CXF, Camel, Syncope, WSS4J, Directory, Ranger, Knox, Shiro, etc. In what seems like another lifetime, I also acquired a PhD in the area of cryptography. The views expressed on this site are mine alone and do not necessarily reflect the views of my employer.

View my complete profile

Powered by Blogger.