Endor Labs ships Java 'Magic Patches' with SCA tools

Informatica taps Endor to soothe Java upgrade pain

Data management vendor Informatica is among the Endor Labs customers experiencing Java upgrade pain. The company began using Endor Labs SCA tools about a year ago, starting with reachability analysis to get a better sense of the company's software inventory and its open source dependencies, according to Pathik Patel, head of cloud security at the company.

"That's their secret sauce which they solved from ground up -- it's not a bolt-on like others," Patel said. "We looked at two other tools. Even though they claim [otherwise], their rate of false positives was very high, so we were not able to trust them."

Patel did not name the other two vendors he evaluated, but Endor Labs claims its program analysis techniques based on static call graphs makes its reachability analysis more detailed and effective than competitors in determining the impact of vulnerabilities in specific application environments.

Patel said he expects Endor's upgrade impact analysis feature will help development teams get through a major upgrade from Java 8 to Java 22, by assessing which aspects of the upgrade the team should do first and which will be difficult based on how the company's applications are using Java software packages, including transitive dependencies. 

"If you look at very popular Java libraries, they provide a lot of functionality, but developers are typically just using one of them," Patel said. "When these kinds of things are there in the codebase, developers are hesitant to upgrade because they don't know the impact for the rest of the folks [at the company] who are using the same library."

Endor Labs SCA tools helped Informatica determine what its thorniest upgrades will be and get a more precise estimate of how long they will take. Initially, internal estimates of the time required to do the upgrade was two years of work-hours -- now, developers can estimate the specific number of three-month release cycles required.

"[The] Spring [framework] is the biggest culprit for us, which is impacting something like 60% of our libraries," Patel said. "So that's what we should tackle first."

Informatica hasn't used Endor's Magic Patches yet, but they could be useful when the time required to upgrade package versions runs afoul of FedRAMP requirements that mandate fixes within fixed time periods of 30, 60 or 90 days, he said.

SCA tools evolution intensifies

SCA tools have evolved quickly from static scans of codebases into broader software supply chain security platforms in recent years amid high-profile supply chain attacks, said Janet Worthington, an analyst at Forrester Research.

"Two years ago, people were so excited when an SCA tool could generate an SBOM," Worthington said. "Now that's not enough anymore -- they have to be able to generate it in multiple formats. They have to be able to ingest an SBOM from another third party."

Endor Labs plans further expansion into artifact signing, now in beta and expected to become generally available in the next few weeks. Patel said he's starting to test that feature as a means to associate specific portions of open source libraries to the developers at the company responsible for fixing vulnerabilities.

This is something Informatica currently does by tagging builds as they move through CI/CD pipelines, but getting them to the right person often involves service management tickets "bouncing back and forth," sometimes for days, he said.

"In the end, it finds the right person and works out, but if you have only 30 days to fix it, and this ticket bouncing happens for four to five days, you have already lost one week," Patel said.

Other SCA tools offer forms of upgrade impact analysis, such as Mend.io's Merge Confidence feature, Lineaje's BOMbots, Snyk's Risk Score and Moderne's DevCenter. A few, such as Snyk, Seal Security and Moderne, can automatically remediate or generate backported patches for some open source libraries -- Snyk's patches currently support Node.js only.

"This is the direction software composition analysis should go in," Worthington said. "Now that we have AI, you should be able to use some of these tools to do a mock upgrade, run it, see if it breaks in tests. … I think that's what Endor is working toward."

Another analyst, however, sounded a note of caution about long-term use of backported patches.

"These backported patches shouldn't be seen as a permanent fix, as it can create more long-term problems to stay on an older, unsupported or vulnerable version indefinitely," said Katie Norton, an analyst at IDC.

But for now, Endor won't put a time limit on how long its Magic Patches will be supported, according to Gile.

"We took a look in particular at the customers we have that are using Spring, and we found 82% of them are using something in the Spring 5 series that came out in 2020," she said. "There's certainly a scenario where they might say, 'You know what, we're never going to upgrade this, because it's terrifying,'… they may be building a totally different … environment that doesn't rely on those old dependencies, so it may be more of a long-term migration strategy."

Beth Pariseau, senior news writer for TechTarget Editorial, is an award-winning veteran of IT journalism covering DevOps. Have a tip? Email her or reach out @PariseauTT.