π CodeClarity v0.0.21-alpha: A Deep Dive into the Latest Features, Improvements, and Community Insights
Hoot-hoot! π¦π
We’re excited to announce the release of CodeClarity v0.0.21-alpha, a major update that brings significant improvements to our SBOM (Software Bill of Materials) and vulnerability tools.
Let’s take a deep dive into what’s new, why it matters, and how it impacts your experience with CodeClarity.
π§ What’s New in v0.0.21-alpha?
1οΈβ£ Faster Vulnerability Lookups with Reinstated Database Indexes
The Problem:
In previous versions, we encountered an issue where database indexes—critical for speeding up queries—were accidentally erased during schema synchronization. This happened because of a feature that automatically synced the database schema with the code’s definitions. While this was useful in development, it caused performance issues in production by wiping out indexes.
The Fix:
We’ve reinstated the database indexes that were previously erased. These indexes are now explicitly managed and protected from accidental deletion in production environments.
Why It Matters:
Indexes are the backbone of efficient database queries. Without them, scanning for vulnerabilities could take minutes instead of seconds. For example, when you run a scan for a specific package, the indexed data allows CodeClarity to quickly retrieve relevant vulnerabilities from NVD (National Vulnerability Database) and OSV (Open Source Vulnerability). This improvement ensures that even large-scale projects can be analyzed rapidly, reducing friction during security audits.
Technical Note:
The schema sync feature was deactivated in production to prevent accidental index removal. If you’re running CodeClarity in a development or testing environment, you can still use the feature, but it’s now clearly documented to avoid unintended side effects.
2οΈβ£ Enhanced SBOM Filtering for Precision and Control
The Problem:
SBOMs can become overwhelming when dealing with large projects that include hundreds of dependencies. Without clear filtering options, it’s hard to focus on the most critical components.
The Fix:
We’ve added advanced filtering capabilities to the SBOM result page:
- Dependency Type: Filter by direct (explicitly declared in your project) or transitive (dependencies of dependencies) dependencies.
- Environment: Filter by development (e.g., devDependencies) or production (e.g., dependencies) dependencies.
Why It Matters:
These filters empower users to:
- Prioritize direct dependencies for updates or security patches.
- Isolate development-only dependencies to avoid unnecessary alerts.
- Focus on production dependencies to ensure the final product is secure.
Example Use Case:
Imagine a project with 500 dependencies. By filtering for direct and production dependencies, you can quickly identify the 20-30 critical packages that need attention, rather than sifting through the entire list.
3οΈβ£ Smarter Vulnerability Views with D3.js and False Positive Management
The Problem:
Vulnerability reports often include redundant or misleading data, such as overly broad matches (e.g., * in a version range) or discrepancies between NVD and OSV. This can lead to confusion and wasted time.
The Fix:
We’ve made several improvements to the vulnerability result page:
- Switched from Chart.js to D3.js:
Big thanks to @Aspoorine for this contribution π
- Why? To reduce external dependencies and improve performance. D3.js is more lightweight and flexible for complex visualizations.
- Result: Faster load times and cleaner graphs.
- False Positive Handling:
- Issue: Many vulnerabilities use * to match all versions (e.g., CVE-2020-1416). These are often irrelevant because there’s no actionable fix.
- Solution: We now filter out such vulnerabilities by default.
- Future Plan: Add a user-configurable filter to show or hide these entries based on your needs.
NVD vs. OSV Discrepancy Warnings:
- Issue: NVD and OSV often disagree on vulnerability data. For example, NVD might list a vulnerability that OSV does not.
- Solution:
- Warnings: A yellow warning now highlights discrepancies in the table and detail views.
- Filter: A “hide possibly incorrect matches” toggle lets you exclude entries that may be incorrect.
Why It Matters:
These changes reduce noise in vulnerability reports, helping you focus on real risks. For instance, if NVD and OSV disagree on a vulnerability, you can quickly decide whether to investigate further or ignore it.
π What’s Next for CodeClarity?
We’re already planning the next set of updates, including:
- Dependency Graph Visualization: A visual map of your project’s dependencies to identify risks at a glance.
- CI/CD Integration: Seamless integration with GitHub Actions, GitLab CI, and other platforms for automated security checks.
- Enhanced Risk Scoring: A more nuanced system for prioritizing vulnerabilities based on VLAI.
We’ll share more details in upcoming blog posts and through our GitHub repository.
π€ Join the CodeClarity Community!
We’re always looking for contributors, testers, and feedback from the open-source community. Here’s how you can get involved:
π¦ Contribute to the Code
- GitHub: CodeClarityCE Organization
- Issues: Report bugs or suggest features on GitHub Issues.
π Stay Informed
- Blog: CodeClarity Blog
π€ Collaborate
- Discord: Join our Discord to discuss features, ask questions, and share insights.
π£ Final Thoughts
If you’ve used CodeClarity before, we’d love to hear your feedback. If you’re new to the project, we encourage you to try it out and see how it can simplify your security workflow.
π¦ CodeClarity is open source, join the parliament! πͺ
#CodeClarity #SoftwareSecurity #Compliance #Opensource #SBOM #VulnerabilityManagement #OpenSourceCommunity
Install CodeClarity with just one simple command – and begin securing your software today.
curl -O https://raw.githubusercontent.com/CodeClarityCE/deployment/main/setup.sh && bash setup.sh