Is Debricked’s service on prem or SaaS?
Currently we are only offering a SaaS solution.
What is meant by “increased compute” offering for Enterprise customers?
For our Enterprise customers, we increase the amount of available workers to allow for scanning more files in parallel, which can greatly increase scan speed.
To what extent can Root Fixes break the code?
In short, to no more extend than manually updating dependencies. There's always a risk of breaking changes when updating dependencies. It's hard to say how big the risk is, since that is individual per update. The risk is not inherently larger with root fixes than indirect fixes, though what we can guarantee is that we won't break the dependency tree (by introducing a dependency version that is not compatible with upstream dependencies).
How long do I need to wait to request a second password reset?
You need to wait one hour to request a second reset password.
Is there a way to restrict what repositories certain users can see?
As of right now, we don't offer those capabilities.
Is it possible to extract a pie chart or other visualisation over the identified licenses and dependencies?
You can do a license export, which contains both licenses & dependencies. This output is delivered in an excel format, from where you can create the pie chart Alternatively our API can help you solve this
What do we classify as a “scan”?
We do a scan every time a developer commits code, regardless of the size.
How accurate is the service in finding a vulnerability?
Our service will detect any open source vulnerability in your repository, that has been published by (not limited to): NVD Database, NPM, C# Announcement, FriendsOfPHP’s security advisories, Go Vulnerability Database, PyPA Python Advisory Database, GitHub Issues, GitHub Security Advisory, mailing lists and more. Those sources are updated every 15 minutes to ensure that as many vulnerabilities are found as possible.
Does Debricked run on PC or does it upload to your servers?
There are a few different ways you can run our service: one way is to upload your dependency files manually, but typically you would run it in your test pipelines, for example via integration with Github, Gitlab etc.
How do you distinguish between frequent and sporadic contributors?
We look at averages and prune the commiters monthly. We realize that most businesses have some amount of "non-developer" commiters. This could be bots, students joining for just a short period of time, etc. Because of this we talk to our customers about what the actual amount of contributing developers is and enter that into the contract.
What practices does Debricked take to prevent and detect vulnerabilities?
To prevent and detect vulnerabilities Debricked:
- use our own service to find known vulnerabilities in our dependencies
- conduct third-party penetration tests
- continuously run our own penetration tests internally
- have a vulnerability disclosure program that allows bug bounty hunters to report security issues to us. For interesting findings we provide monetary rewards.
Where is Debricked’s data stored?
Customer data is stored by using GCP as service provider in the Netherlands.