Software Composition Analysis (SCA) testing

Software Composition Analysis (SCA) locates and analyzes open source and third-party packages used by your code. SCA, sometimes refered to as open source testing, aggregates information from a variety of sources, constantly monitoring for new vulnerabilities in an automated process that keeps our information up-to-date daily. Sources include the most popular security vulnerability databases (NVD, Github advisory, Microsoft MSRC), and a wide range of lesser-known security advisories and open source project issue trackers.

SCA requires a specific ASoC Open Source Analyzer subscription. When you have a valid subscription, open source testing is generated by itself or is automatically included in Static analysis scans when Static analysis entitlements also exist. It does the following:
  1. Locates open source packages in your code. To ensure that ASoC collects only data for open source testing, use the -openSourceOnly option with appscan prepare (not available from Eclipse).
  2. Identifies open source packages known to be vulnerable.
  3. Suggests remediation for the vulnerable packages.
Results are included in Static Analysis or Open Source reports and in your ASoC portal.
Note: When you use the -oso or -openSourceOnly option with appscan prepare, you may encounter the message, "The prepare operation only found opensource file types, must include other scan file types."

Supported source files types, by extension, are .c, .cc, .cpp, .dll, .ear, .egg, .go, .h, .hpp, .jar, .java, .js, .php, .py, .war.

For additional information, see Static analysis.