The idea behind VersionEye is that it monitors your package managers project files on GitHub / Bitbucket / Stash. Project files like Gemfile, package.json, composer.json, pom.xml, Podfile and many others. That way VersionEye knows which open source dependencies you are using and based on that it can send you notifications to security vulnerabilities, license violations and outdated versions which matters to you.
Currently these package managers are supported:
The majority of our community is using VersionEye to monitor their project files (Gemfile, package.json, composer.json, pom.xml, Podfile ...) directly on GitHub or Bitbucket. If your code is not on GitHub or Bitbucket, simply use the native VersionEye plugin for your build tool:
or use the VersionEye API directly. For a one time scan you can simply upload your project file in the login area.
Nowadays software projects are based on many open source
libraries! How do you ensure that you are not using dependencies which has
security vulnerabilities? You don't! VersionEye is checking multiple security databases
every day and knows which artifacts are vulnerable. VersionEye can monitor your project and send you security
notifications if one of your dependencies has a known security vulnerability.
With the native plugins we can even break your build on your CI server if one of your dependencies has a known security vulnerability.
Nowadays software projects are based on many open source components! Some of the components are published under a permissive and others under a copyleft license. If you develop closed source software you should avoid copyleft licenses like GPL! Otherwise you have to open source your project as well! VersionEye can check all your open source dependencies against a license whitelist and notify you about violations! This checks can happen in real time and your software team can react immediately! Depending on your software development process we can even break your build on the CI server if there is a license violation.
VersionEye notifies you about outdated dependencies in your software projects. Nowadays software projects are based on many open source and self developed components. Checking manually for updates for these components is a very time consuming task and not fun at all! VersionEye notifies software developers about outdated dependencies in their projects. That way they can save a lot of time and focus on development. Usually the newest version of a software package has fixed the known security vulnerabilities from the past. It makes sense to keep their dependencies up-to-date ;-)
VersionEye has a very good integration for GitHub.
If you are using the VersionEye GitHub integration, VersionEye will check
all dependencies in a pullrequest for potential risks like known security vulnerabilities,
unknown licenses and violations of your license whitelist. That way you get notified
about potential risks even before you merge a pullrequest.
This integration works with GitHub Enterprise as well!
Read more about this feature on our blog.
In VersionEye projects are grouped inside of an organisation entity.
Each organisation entity can have multiple teams and each project can be
assigned to multple teams. The email notifications can be configured
on the team level. Each team can decide to which aspect of the project
they want to receive email notifications and on which day of the week.
This model offers a lot of flexibility and is a really good fit for
big organisations with many teams and many projects.
Read more about this featur on our blog.
You can run the VersionEye software as on premise installation on your own server(s) in your own datacenter. That way you can connect it to your LDAP or Active Directory, configure it with your own SMTP or Exchange server and integrate it with your development infrastructure like binary repositories, git repositories and build systems. More information to that is on our Enterprise page.
The VersionEye crawlers are collecting 24/7 meta information about open source projects which are available through some kind of package manager. Meta information like security vulnerabilities, licenses, versions, descriptions, links and so on. Currently the VersionEye database contains meta information to more than 1.5 Million open source projects. The VersionEye database is accessible through the VersionEye API. Every open source project in our database has a page at VersionEye.com where the collected meta information can be viewed.