Implement Snippet Matching (open source code fragment reuse) Security Scanning
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
Problem to solve
Snippets are fragments of source code meant to be reused. In the case of open-source code snippets, these fragments may be part of a larger open source component which may carry license requirements not met by, or perhaps not intended to be included as part of the larger codebase.
Intended users
Developers, Security and Compliance roles.
Further details
Synopsis Detect currently provides this capability in Black Duck Hub, and it has been mentioned as a requirement by certain prospects and customers.
Proposal
To the end of maintaining organizational governance and compliance, snippet-matching security scanning would provide an organization with assurances code snippets are identified, and where appropriate, corresponding licenses are acquired and included.
Given our current approach to provide other types of Security Scanning, Snippet Matching could potentially run as a job in a pipeline, providing quick feedback to Developers and other relevant roles in a Merge Request.
Permissions and Security
Proposed behavior should be consistent with permissions and security as with current model for executing other security scanning jobs.
Documentation
Unknown at the moment.
Testing
Unknown at the moment.
What does success look like, and how can we measure that?
Snippet Matching finds open source code fragments in a branch through a related job in a pipeline, and the result of the job run displays in the Merge Request widget.
What is the type of buyer?
Enteprise organizations with strict compliance and governance requirements.