|
| 1 | +--- |
| 2 | +slug: atom-chen-aboutcode |
| 3 | +title: atom and chen join AboutCode |
| 4 | +authors: [pombredanne] |
| 5 | +tags: [atom,chen] |
| 6 | +hide_table_of_contents: false |
| 7 | +--- |
| 8 | + |
| 9 | + |
| 10 | + |
| 11 | + |
| 12 | +[atom](https://github.com/AppThreat/atom) and [chen](https://github.com/AppThreat/chen), |
| 13 | +two open source tools for high-quality code analysis built by the [AppThreat](https://www.appthreat.com/) team, are now part of the non-profit [AboutCode](https://aboutcode.org/) |
| 14 | +organization committed to making open source easier and safer |
| 15 | +to use by building critical open source tools for Software Composition |
| 16 | +Analysis (SCA) and beyond. |
| 17 | + |
| 18 | +“AppThreat started with the simple mission to make high-quality code analysis |
| 19 | +and security tools for everyone,” says [Prabhu Subramanian](https://github.com/prabhu), |
| 20 | +lead maintainer of atom and chen, founder of AppThreat, and creator of other |
| 21 | +open source supply chain security tools like [OWASP CycloneDX Generator (cdxgen)](https://github.com/CycloneDX/cdxgen), [OWASP blint](https://github.com/owasp-dep-scan/blint), and |
| 22 | + [OWASP depscan](https://owasp.org/www-project-dep-scan/). |
| 23 | + |
| 24 | +While working on a different problem, Prabhu uncovered a lack of high-quality |
| 25 | +code hierarchy analysis libraries and CLI tools. atom and chen were built as |
| 26 | +open source tools to identify likely adversary entry points to improve threat |
| 27 | +modeling, vulnerability management, and risk mitigation. Precisely knowing |
| 28 | +when, where, and how a given library is used in an application or service |
| 29 | +empowers developers to better understand risks and secure their work. |
| 30 | + |
| 31 | +chen, or Code Hierarchy Exploration Net, is an advanced exploration toolkit |
| 32 | +for your application source code analysis to parse and extract code property |
| 33 | +graphs. |
| 34 | + |
| 35 | +Powered by the chen library, atom is a novel intermediate representation for |
| 36 | +applications and a standalone tool. The intermediate representation (a network |
| 37 | +with nodes and links) is optimized for operations typically used for |
| 38 | +application analytics and machine learning, including slicing and vectoring. |
| 39 | + |
| 40 | +“As our projects grew in usage and significance, we felt the need to donate |
| 41 | +these projects to an open source organization committed to the original |
| 42 | +AppThreat mission,” says Prabhu. “AboutCode is that organization.” |
| 43 | + |
| 44 | +AboutCode is a registered non-profit organization that supports the |
| 45 | +development and maintenance of the AboutCode stack of open source tools and |
| 46 | +open data for SCA, including the industry-leading ScanCode, VulnerableCode, |
| 47 | +and DejaCode projects. AboutCode believes that good open source tools and |
| 48 | +open data help you use open source securely and efficiently. |
| 49 | + |
| 50 | +With planned tighter integrations with the AboutCode stack, atom and chen will |
| 51 | +provide an even more comprehensive open source solution for the practical |
| 52 | +management of open source and security compliance. This includes advanced code reachability analysis, more efficient triage of vulnerabilities based on true reachability, and deep analysis of call graphs to find where vulnerable code |
| 53 | +is used. |
| 54 | + |
| 55 | +For supply chain analysis, atom can generate evidence of external library |
| 56 | +usage, including the flow of data. OWASP cdxgen uses atom to improve the |
| 57 | +precision and comprehensiveness of the generated CycloneDX SBOM document. |
| 58 | + |
| 59 | +For vulnerability analysis, atom describes vulnerabilities with evidence of |
| 60 | +affected symbols, call paths, and data flows to enable variant and |
| 61 | +reachability analysis at scale. |
| 62 | + |
| 63 | +“The next frontier in vulnerability management is deep vulnerable code |
| 64 | +reachability analysis and taint analysis to discover new vulnerabilities,” |
| 65 | +says AboutCode lead maintainer Philippe Ombredanne. “atom and chen are the |
| 66 | +fundamental blocks to enable the construction of a FOSS solution to better |
| 67 | +triage vulnerabilities and avoid vulnerability fatigue.” |
| 68 | + |
| 69 | +Building upon atom and chen joining, AboutCode will adopt an open governance |
| 70 | +model, drawing from best practices established by other organizations |
| 71 | +committed to open source software, prioritizing transparency, inclusivity, and |
| 72 | + community-driven development. A technical advisory group (TAG) will be formed |
| 73 | + to ensure project development addresses the needs of the wider community. |
| 74 | + |
| 75 | +Want to get involved? Join the AboutCode [Slack](https://join.slack.com/t/aboutcode-org/shared_invite/zt-1paqwxccw-IuafuiAvYJFkTqGaZsC1og) or [Gitter](https://app.gitter.im/#/room/#aboutcode-org_discuss:gitter.im) to chat with the community. |
0 commit comments