Blog

A New Partnership: Node Security Project

Gemnasium is proud to announce our new partnership with Node Security Project. Node Security Project(NSP) is an integral part of the Node.js community, dedicated to ensuring that security is a core priority for Node. The Node Security Project offers tools to ensure the security of Node projects, as well as a place to report new security threats, as well as the solutions to them. This partnership offers Gemnasium projects using npm (node package manager) the added protection of NSP security advisories.

Simplified Pricing

Gemnasium has always been committed to providing value and ensuring our customers see return for their investment. This has led to some tinkering with our pricing model in the past, in order to ensure that our customers could get the features they wished, without paying more than necessary. Originally, our pricing model was based simply on private projects hosted on Github. In order to provide those with public projects access to premium features, we added an option to ‘buy’ features, labeled as ‘slots’.

Bitbucket support

Hello readers! It has been a while since our last post, and we apologize for that. We will be renewing our efforts to continually inform you and others in the development community by posting on a regular basis. Not only do we hope to share our successes, but also provide industry insight, and help our users make the most out of our product. But this blog report isn’t just to renew our commitment to our readers, it is to announce an exciting development for Gemnasium.

Slack notifications

It has been asked for a while, and we are now excited to announce the availability of Slack notifications for your Gemnasium projects! While a large number of users is still using email notifications, more and more are migrating to team chats like the popular Slack. To start using Slack notifications, go to your projects settings, in the Hooks tab. Currently, only security notifications are sent to your Slack channels, but we will improve this feature with your feedback.

Gemnasium next Enterprise adventure

Responding to the big demand on our support, we have decided to start working on the Enterprise Edition of Gemnasium. This version will be available on premises, running on your own servers. It will allow your Gemnasium instance to reach private repositories hosted on Atlassian Stash or Github Enterprise, and many other things the SAAS version is not able to achieve today. We have planned to start a private beta in early 2016, but until then, we would be very glad if you could help us building the next Gemnasium for your enterprise:

Security: one issue, many packages

If you’re familiar with Linux distributions, you probably know the concepts of “downstream” and “upstream”; these refer to the package you install and the source project, respectively. For instance, postgresql.org hosts the source of Postgresql RDBS and it’s available as a package for Debian, Fedora, etc. When “upstream” is fixed and gets a new version, many packages have to be fixed too. One issue, many packages. Things are different for librares written in Ruby, Python or Node as the developers in charge of the project also build the package.

Dear package, give git tags to your versions

Every now and then, we at Gemnasium.com go through the source code of some package that’s been reported to be vulnerable. Not only we want to better understand the security issue, we also want to be sure about which versions are affected and which versions are fixed. This can be quite easy when the source is on GitHub, and when each individual version corresponds to a git tag, or very difficult (and frustating) when there’s not relation between the two.

Dependency requirements going wild

Listing the libraries a project depends on is generally not enough: one has to be more specific about the versions that are fully compatible with the project. This task is both critical and difficult - especially when it comes to versions that have not been published yet. Hopefully, we’ve got this wonderful convention called SemVer. For instance, if a project is compatible with version 1.0 of a library “z”, we can assume that it’s also compatible with 1.

Dependency management using commits

Today package managers make it easy to install a library at a particular git branch or commit (assuming we can access the source code of the library). This is so convenient that PHP Composer (PHP’s main package manager) goes a step further: if the source code of a library is managed using git, all the git branches are automatically turned into so-called “versions” users can easily install. Nice, don’t you think?

Security alerts go free

Until recently, a paid subscription was required to access the details of a security alert on Gemnasium.com. Today we’ve got good news for all free Gemnasium users: you can see the security alerts without paying a dime. Alerts management also went free. Not familiar with this feature? Let’s recap. When your project turns redWe at Gemnasium are constantly looking for new package advisories that may impact the dependencies of your projects.