Versions Compared

Old Version 28

changes.mady.by.user Laura Mandolini

Saved on

compared with

New Version 29

changes.mady.by.user Laura Mandolini

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

Security Reviewer – Software Composition Analysis (SCA) identifies project dependencies on 3rd-parties components directly inside your SDLC, as Jenkins Plugin, Bamboo Plugin or using the CLI Interface. Security Reviewer – Software Composition Analysis is able to identify Java, C/C++, Ruby, Groovy, Perl, PHP, JavaScript, TypeScript, Python, Rust, Scala, GO, R, Kotlin, Clojure, ErLang, Shell, PowerShell, LUA and Auto-IT components along with .NET assemblies and Objective-C, Objective-C++, SWIFT support. Once identified, SCA will automatically determine if those components have known, publicly disclosed, vulnerabilities as well as licenses-related issues.

...

Analyzer

File Types Scanned

Analysis Method

SRslic **

ASP, ASPX, HTML, JSP, JSF, JAVA, C#, VB.NET, C, CPP, H, HPP, M, MM, SWIFT, PHP, JS, TS, RB, GROOVY, GY, PY, PERL, PL, SCALA, GO, R, KT, CLJ, ERL, SH, PS1, AU3, LUA, XML files

Reveals Licenses in Whitelist, Licenses in Blacklist, License Conflicts, Suspicious Licenses, License Violations and Poor’s man copyrights found in source code.

Artifactory

jFrog Artifactory

Analyzer which will attempt to locate a dependency on a jFrog Artifactory service by SHA-1 digest of the dependency.

Archive

Zip archive format (*.zip, *.ear, *.war, *.jar, *.sar, *.apk, *.nupkg); Tape Archive Format (*.tar); Gzip format (*.gz, *.tgz); Bzip2 format (*.bz2, *.tbz2)

Extracts archive contents, then scans contents with all available analyzers.

Assembly

.NET Assemblies (*.exe, *.dll)

Uses GrokAssembly.exe, which requires .NET Framework or Mono runtime to be installed, otherwise .NET Assemblies will be analyzed by FileInfo and NuSpec analyzers only.

Packrat

CRAN

packrat.lock files (R language).

RetireJS

JavaScript

It uses the manually curated list of vulnerabilities from the RetireJS community along with the necessary information to assist in identifying vulnerable components. Vulnerabilities documented by the RetireJS community usually originate from other sources such as the NVD, OSVDB, NSP, and various issue trackers.

CMake

CMake project files (CMakeLists.txt) and scripts (*.cmake)

Regex scan for project initialization and version setting commands.

MSBuild

.NET Assembly

Analyzes MSBuild Projects

MavenGradleAnt

Analyze Maven, Ant and Gradle build files for Java

Analyze pom.xml, build.gradle, and build.xml.

GoDep

Analyze GitHub dependency files for GO Language, .go

Analyze vendor.conf, godeps.json, godeps.json gomod files, and gopkg.toml.

Jar Analyzer

Java archive files (*.jar); Web application archive (*.war)

Examines archive manifest metadata, and Maven Project Object Model files (pom.xml).

NSP

Node Security Project is used to analyze Node.js’ package.json files for known vulnerable packages.

Recently acquired by NPM inc., this service will be still available until September, 30.

SNYK JavaScript, .NET, Java, TypeScript, Python, Ruby, Scala, GO Scans scripts and dependencies

Nuspec

Nuget package specification file (*.nuspec)

Uses XPath to parse specification XML. Analyze also packages.config and (*proj or sln), project.lock.json and project.assets.json or PackageReference.

OpenSSL

OpenSSL Version Source Header File (opensslv.h)

Regex parse of the OPENSSL_VERSION_NUMBER macro definition.

Ruby bundler‑audit

Ruby Gemfile.lock files

Executes bundle-audit and incorporates the results into the dependency-check report.

Autoconf

Autoconf project configuration files (configure, configure.in, configure.ac)

Regex scan for AC_INIT metadata, including in generated configuration script.

CocoaPods

CocoaPods .podspec and podfile.lock files

Extracts dependency information from specification file and lock file, for Objective-C and SWIFT projects.

Composer Lock

PHP Composer and PHP Pear

Parses PHP Pear package.xml, PHP Composer lock and composer.json files for exact versions and dependencies.

Node.js


NPM package specification files (package.json)


Parse JSON format for metadata.


Python Metadata

Python source files (*.py); Package metadata files (PKG-INFO, METADATA); Package Distribution Files (*.whl, *.egg, *.zip) Anaconda and environment.yml

Regex scan of Python source files for setup tools metadata; Parse RFC822 header format for metadata in all other artifacts. Also scans dependencies in yml files.

FileInfo-JarManifest**

jar, war, ear, dll, exe, lib, shared libs and machOS, UPX, PE executables

Reveals Blacklisted Libraries, Outdated Libraries, Other Vulnerable Libraries.

Ruby Gemspec

Ruby makefiles (Rakefile); Ruby Gemspec files (*.gemspec)

Regex scan Gemspec initialization blocks, Rakefile and gemfile.lock for metadata.

SWIFT

SWIFT Package Manager’s Package.swift

Extracts dependency information from swift package file.

**awesome-C, awesome-CPP, cppreference, awesome-dotnet, awesome-javascript, awesome-typescript, SwifterSwift, Three20, PyPi, awesome-scala

Fresh updated lists of best (awesome) libraries, packages and frameworks, specialized for each Programming language

Seeks for new and updated libraries, packages and frameworks coming directly from programmer’s community.

SBT

SCALA

Scans build.sbt for dependencies.

CRAN RScans for add-on packages from CRAN
Akku.scm RScans a Scheme from Akku.scm

CPAN

Perl

Analyze dependencies in Makefile.PL.

LeiningenClojureScans Lein scripts
LuaRocksLUAScans rocks packages

ERL

Erlang

Analyze dependencies in rebar.config.

 RustRustScans cargo.toml file
 au3pmAuto-ITScans json.au3 
 BowerJavaScriptScans bower.json
 ChocolateyWindows PackagesScans c4b files
 ClojarsClojureScans Lein scripts and Cloure JAR files
 ConanC/C++ Scans makefile

**Security Reviewer’s SCA unique features

Anchor
packages
packages
Package Managers

SCA supports the following Package Managers:

...

While these suits have been filed, given the fact that a particular OSS component could easily have hundreds of contributors and hence hundreds of copyright owners without a common voice, litigation is not typical. Instead, compliance with OSS license terms becomes critical in the context of many important transactions, such as financing and mergers and acquisition transactions. A sophisticated investor or acquirer in any significant financing or M&A (Merge & Acquisition) transaction will always demand a representation and warranty of OSS compliance. Non-compliance creates potential ambiguity around ownership of a material asset and potential post-closing costs of compliance. That ambiguity and associated remediation costs may affect not only the value of the transaction, but also the decision whether to proceed with the transaction at all. How an enterprise manages its use of OSS can speak volumes as to its policies, procedures, structure and culture, all of which are relevant to successful transaction due diligence. To avoid the potential for OSS issues to negatively impact an important transaction, enterprises must develop and follow processes to inventory their use of OSS components, analyze their degree of compliance and remediate any non-compliance long before the term sheet stage of any transaction. Before any enterprise commences an OSS audit, it needs to educate both developers and management on the benefits and risks of incorporating OSS into their proprietary software applications. Asking individuals to participate in an audit where their prior actions could come under a microscope will be far more successful if they understand and appreciate the importance of the outcome.

OSS Component Inventory – Software Bill Of Material (

...

SBOM)

The most significant effort with any OSS audit is inventorying existing use of OSS components. That inventory can occur manually by interviewing each developer and asking them to identify the OSS components they have downloaded and used in the development process. For long standing development teams that have never been through this exercise, that can be a difficult, if not impossible, task. While it may be easy to remember OSS components that were recently incorporated into a development project, that may not be true for software developed years ago. Alternatively, third party software products exist that can automate the inventory process.

I support the following SBOM standards:

Security Reviewer – Composition Analysis module can scan your software code and, using sophisticated pattern  matching algorithms, identify the various OSS components present in your software code. While some vendors require that source code be uploaded to their cloud environment for processing, Security Reviewer can operate entirely on-premises and using hashed values of the source code to avoid the risk of source code disclosure outside the enterprise. Unless an enterprise is in the early stages of its development process or has kept an accurate running list of OSS components, the automated process will be far more accurate and complete. Further, in more and more significant financing and M&A transactions, the investors or acquirers themselves are using such automated tools as part of the due diligence process, so to simply assume that the manual inventory process will be “good enough” may be misguided. Representing compliance and possession of an accurate list of OSS components, only to later find out from a counterparty using an automated tool that this is not the case, can be just as bad, if not worse, than not having completed an audit at all.

...

Security Reviewer - Software Composition Analysis (SCA) discovers Vulnerable, Blacklisted, Discontinued by the Community, Deprecated and Obsolete Libraries/Frameworks. This is achieved by continuous monitoring of the following external data sources:

-- Debian Security https://security-tracker.debian.org
-- Linux Security https://linuxsecurity.com/
-- RedHat Security https://access.redhat.com/security
-- Oracle Security Advisory https://www.oracle.com/technetwork/security-advisory
-- SuSe OVAL Descriptions https://www.suse.com/support/security/oval/
-- Ubuntu CVE Tracker https://people.canonical.com/~ubuntu-security/cve/main.html
-- Alpine Linux Security https://alpinelinux.org
-- CentOS Security https://www.centosblog.com/categories/security/
-- Microsoft Security Response Center https://portal.msrc.microsoft.com/en-us/security-guidance
-- OSS Index by Sonatype: https://ossindex.sonatype.org/
-- NVD by NIST: https://www.nist.gov/programs-projects/national-vulnerability-database-nvd
-- VulnDB: https://vuldb.com/
-- Maven Central: https://mvnrepository.com/repos/central (Java, Scala, Kotlin)
-- NuGet Packages: https://www.nuget.org/packages  (.NET)
-- PyPy compatibility: https://bitbucket.org/pypy/compatibility/wiki/Home (Python)
-- Common Weakness Enumeration (CWE): http://cwe.mitre.org/
-- CVE Details: https://www.cvedetails.com/

SCA uses the following community-driven 'Awesome' lists too:
-- Awesome Java https://github.com/akullpp/awesome-java
-- Awesome .NET https://github.com/quozd/awesome-dotnet
-- Awesome Android https://github.com/JStumpp/awesome-android
-- Awesome C libraries https://github.com/kozross/awesome-c
-- Awesome C++ https://github.com/fffaraz/awesome-cpp
-- Awesome JavaScript https://github.com/sorrycc/awesome-javascript
-- Awesome TypeScript https://github.com/dzharii/awesome-typescript
-- Awesome Python https://awesome-python.com/ and https://pythonawesome.com
-- Awesome Ruby https://github.com/markets/awesome-ruby
-- Awesome Scala https://github.com/lauris/awesome-scala
-- Awesome GO https://github.com/avelino/awesome-go
-- Awesome PHP https://github.com/ziadoz/awesome-php
-- Awesome Swift https://github.com/matteocrippa/awesome-swift
-- Awesome iOS https://github.com/vsouza/awesome-ios
-- Awesome Kotlin https://github.com/KotlinBy/awesome-kotlin
-- Awesome Groovy libs https://github.com/kdabir/awesome-groovy
-- Awesome shell scripts https://github.com/alebcay/awesome-shell
-- Awesome R https://awesome-r.com
-- Awesome PowerShell https://github.com/janikvonrotz/awesome-powershell
-- Awesome Auto-It https://github.com/J2TeaM/awesome-AutoIt
-- Awesome LUA https://github.com/LewisJEllis/awesome-lua
-- Awesome Clojure https://github.com/razum2um/awesome-clojure
-- Awesome Erlang https://github.com/drobakowski/awesome-erlang
-- Awesome Rust https://github.com/rust-unofficial/awesome-rust

Further, SCA uses the libHunt service:
-- Java https://java.libhunt.com/
-- .NET https://dotnet.libhunt.com
-- Android https://android.libhunt.com/
-- C/C++ https://cpp.libhunt.com/
-- JavaScript/TypeScript https://js.libhunt.com/
-- Python https://python.libhunt.com
-- Ruby/Groovy https://ruby.libhunt.com/
-- Scala https://scala.libhunt.com/
-- GO https://go.libhunt.com/
-- PHP https://php.libhunt.com/
-- Swift https://swift.libhunt.com/
-- iOS https://ios.libhunt.com/
-- Kotlin https://kotlin.libhunt.com/
-- Rust https://rust.libhunt.com/ 

Regarding the license/legal issues, like Blacklisted Licenses (Strong CopyLeft included), License Conflict, License Violations, Suspicious Licenses (modified and missed licenses), Poor-man CopyRight, SCA uses the following external data sources:
-- SPDX: https://spdx.org/
-- Open Source Initiative: https://opensource.org/licenses
-- GNU compatible license list: http://www.gnu.org/licenses/license-list.html
-- Creative Commons: https://creativecommons.org/share-your-work/licensing-considerations/compatible-licenses/
-- Comparison of FOSS licenses: https://en.wikipedia.org/wiki/Comparison_of_free_and_open-source_software_licenses
-- FLOSS license chart: https://dwheeler.com/essays/floss-license-slide.html

COPYRIGHT (C) 2014-2020 SECURITY REVIEWER SRL. ALL RIGHTS RESERVED.