DevOps outfit SourceClear has released a free tool for finding vulnerabilities in open-source code.

SourceClear Open is touted as a means for developers to identify known and emerging security threats beyond those in public and government databases.

“Developers are being held more accountable for security and demanding tools that help them with that responsibility,” according to SourceClear. “But traditional security products are insufficient, and the recent closure of the Open Source Vulnerability Database (OSVDB) and the well-documented struggles of the CVE and its naming process have underscored the limitations of public and government-backed software vulnerability databases.”

SourceClear Open is based on SourceClear’s commercial products and delivered as a cloud-based service. The technology is said to track thousands of threat sources and analyses millions of open-source library releases.

The new tool is designed to allow developers to identify what open-source libraries they are using, what vulnerabilities exist, which vulnerabilities actually matter, and what needs to be done to fix them. SourceClear Open integrates with GitHub and Jenkins and supports languages such as Java, Ruby, Python and JavaScript that development teams often rely on.

SourceClear’s chief exec (and OWASP founder) Mark Curphey explains the technology and the thinking beyond it in a blog post entitled, Free Security for Open-Source Code - SourceClear Open is Now Live, here. ®