The c2m Software Code and Components Analysis Suite provides continuous quality and security review by automating source code evaluation. It’s suitable for supporting technical due diligence in M&As and provides actionable recommendations for technical and non-technical stakeholders.
Unlike other, commercial and OSS source code assessment tools that address the needs only of developers only, CodeWeTrust aims to make senior management aware of the impact of software quality on business growth.
c2m “LIGHT” ver 5.5.0 – FLOW
c2m “LIGHT” ver 5.5.0 – FLOW (CI/CD)
c2m “LIGHT” ver 5.5.0 – NEW FEATURES
Developers create the code but are rarely empowered to dedicate resources to improving source code quality and security, while management lacks an adequate level of information to support profitable risk mitigation. Management knows the cost of development and commercial licenses, but is rarely aware of the cost of maintaining the code, the cost of fixing vulnerabilities, and the cost of OSS management. CodeWeTrust extracts different but consistent information for each decision maker.
The new version expands c2m’s functionality in three main areas: Application Security, Development Process Assessment and Usability.
ADDITIONAL SECURITY
For each discovered linked package, the new version lists
- the page of the package,
- the pages of vulnerabilities, and
- the proposed fix. It should be noted that we always rely on the accumulated and constantly updated knowledge of the OSS community rather than maintaining our own (limited knowledge base).
The user can edit the messages and add his notes. The user’s notes are stored in the local database and reflected in the reports.
We report a 3rd party package license scheme changes including the associated risk
DEVELOPMENT PROCESS ASSESSMENT
The new version provides an overview of the security assessment and the state of the code base
The web app dashboards (running on a local or cloud server) provide all supporting details.
CodeWeTrust supports three levels of detail:
- Executive level (dashboards/statistics and a report summarizing key risks and recommended remediation).
- Development management level (detailed dashboards, JIRA connector, and a technical report summarizing key issues and recommendations for remediation).
- Developer level connecting the reported issues to the code (integrated code viewer).
USABILITY
Since any automated code scanner reports many false positives, operator support for processing findings is essential. The new version supports processing permissions for both third-party package analysis and third-party code used. The operator’s notes are stored in the local database and reflected in the reports.
STANDARD CODEWETRUST’s c2m FUNCTIONALITY.
Application Security Capabilities
M&A Capabilities
The new version of c2m provides two methods for analyzing security vulnerabilities. It uncovers both unknown vulnerabilities (CWE) and known vulnerabilities (CVE). The first method discovers vulnerabilities by scanning the code, while the second method examines linked packages/libraries via integration with GitHub/RedHat/ NIS reported vulnerability databases.
AI-driven Executive Report
This automatically generated report summarizes key risks and findings using a combination of predefined and user-defined rules. This report maps the expertise of a due diligence consultant by using AI and ML techniques. It also provides SBOM information.
Blind Audit (Findings Import and Export) Process
CI/CD INTEGRATION CAPABILITIES
Integrations with GitHub, GitLab, Bitbucket, and JIRA
c2m ver 5.0 automates the scanning of code that appears in any Git version control system (GitHub, Gitlab, BitBucket, etc.). Users can scan a single repository or an entire ecosystem.
c2m ver 5.0 also integrates seamlessly with the JIRA Issue & Project Tracking System. Users can create and monitor source code quality improvements directly from c2m.
Content Access Control
c2m ver 5.0 enables user-defined access control via a content access control module. System administrators can configure access rights for internal and external users (view only, extract reports, add new products for analysis, etc.).
AI-driven Engineering Report
This new module automatically generates an engineering report that simplifies code refactoring plans, cost reduction, and technical risks mitigation.
- “Who has developed the majority of features?”
- “Who has fixed the most critical bugs?”
- “Who of the top contributors are still actively supporting the codebase?“
Quality Time Trends
This function provides a visualization of time trends per category (defects, vulnerabilities, etc.). It answers:
- “Has the reliability of the codebase improved?”
- “Has the number of security vulnerabilities decreased?
c2m automatically compiles risk mitigation suggestions (action items) by combining insights from time trend, development team productivity analysis, and discovery of key risks.
Code Quality Rule Management
Users can customize quality assurance via a variety of rule sets based on programming best practices and application security standards.
Programming Languages
We continue to expand our supported programming languages. Our latest static code analysis module supports twenty-five programming languages. All other modules (e.g., security analysis, license compliance analysis, software composition analysis (SCA), package aging analysis) are language agnostic, thus supporting all tech stacks.
We offer a 30-day Free Evaluation – So Give c2m “Light” a test drive today!
