Intelligent Software Composition Analysis (SCA)
Qwiet preZero includes Intelligent Software Composition Analysis (Intelligent SCA), which can help you identify open source vulnerabilities and prioritize them based on how problematic they may be to your application's security.
Why Intelligent SCA is important
When you include open-source packages in your application, you take on the possibility of introducing security vulnerabilities due to their presence in the open-source package.
To mitigate such security issues, you have to know what is present. However, the problem is that you may end up with a lot of information from your security tools. With this abundance of information, it can be challenging to determine which items are high priority and which ones are less likely to affect your application. To that end, it's essential to decide if a finding is potentially problematic in the context of your application.
How Qwiet preZero can help
Qwiet preZero's Intelligent SCA feature seeks to help you answer the following four questions when it comes to any common vulnerability and exposure identified as being present due to the use of an open-source package:
- Is the package that contains the CVE loaded by the application?
- Is the package that contains the CVE in use by the application?
- Is the CVE in the package in an attacker-controlled path? Is it reachable via data flows?
- What can you do to mitigate the CVE? Typically, you can't fix an issue in an open-source package, but are there options (other than upgrading) available to you?
In short, Qwiet will help you identify CVEs and determine if the CVEs are high-priority items. With that information in hand, you should be better informed when it comes time to mitigate the open-source vulnerability.
Reachable and exploitable findings
Qwiet AI considers a finding to be reachable if an attacker-controlled path connects application inputs to the CVE. The concept of reachability is crucial because it tells you if someone can exploit a vulnerability in your application; if not, you can consider this vulnerability a low priority for mitigation. Similarly, we consider an OSS finding to be exploitable if there is one or more known exploits available for one or more CVEs associated to an OSS finding. You should consider exploitable findings a high priority for mitigation.
You can view all OSS findings in an application or the entire organization using the Application Findings page or the Organization findings page, respectively.
Continuous SCA
The Findings pages in the Qwiet preZero web UI will let you know if you have new findings related to OSS vulnerabilities to review. This is helpful for discovering new issues that were identified after you scanned the application.
The timestamp displayed lets you know when the latest check for new OSS vulnerabilities was performed by preZero.
If there are new findings, you should rescan your application to populate the results to the Dashboard.
Only SCA
It is possible to only perform SCA analysis (including container SCA)
without SAST or any other processing steps by specifying the
--sca-only-upload
parameter to sl
.
For example:
sl analyze --sca-only-upload ...
This mode skips many checks and steps which are required to analyze the
project's source code. As a result, it's much faster locally, and the SCA
results are also available quicker.
Because no code analysis is performed, no reachability information is available.
SBOM generation
There's multiple ways that an SBOM file can be included in the analysis:
- If there's a
bom.xml
file in the source directory, it will be included in the analysis. - Otherwise, it will be generated automatically from the source directory (or if
--force-bom-rebuild
was specified on the command-line). - The SBOM file can also be specified explicitly via the
--bom-path
parameter.
Flag | Description |
---|---|
--bom-path <path> | Use a custom Bill-of-Materials file in SCA |
--force-bom-rebuild | Force generation of Software Bill of Materials even if an SBOM file already exists for the project |
--oss-project-dir <value> | The location of the project for which OSS Vulnerability will be performed on |
--oss-required | When the flag is set, a failure to generate Software Bill of Materials will stop NG SAST analysis |
--oss-recursive | When the flag is set, generating Software Bill of Materials will also look at all individual subprojects |
--oss-subproject <value> | When the flag is set, generating Software Bill of Materials will only look at a given subproject in a monorepo |
--sca-only-upload | Only run SCA, skip SAST and other processing steps |
At this time only SBOM files in CycloneDX' XML format are being produced and accepted by the options above.
Next steps
For information on how to obtain Intelligent SCA results, please review the article specific to your application's language: