Open source technology empowers developers to make software better, faster, and more efficiently as they push the envelope and delight users with desired features and functionality. This is a trend that is unlikely to fade – at least not in the foreseeable future – and has further fueled our passion for securing the world’s software. This is also why Veracode acquired SourceClear – we had a vision for the impact that integrating our software composition analysis (SCA) technologies would have on our customers’ ability to develop bold, revolutionary software using open source code – without risking their security posture.
Today, our customers have access to an industry-leading, scalable SCA solution that provides unparalleled support for SCA in DevSecOps environments through the cloud-based Veracode Application Security Platform. Veracode SCA offers a unique vulnerable method detection technology that increases the actionability of SCA scan results, as well as the ability to receive continuous alerts on new or updated vulnerabilities without rescanning an application.
Further, our solution relies on a proprietary library and vulnerability database, built using true machine learning and data mining, which has the ability to identify vulnerabilities not available in the National Vulnerability Database (NVD). In addition to CVEs, the database now also includes Reserved CVEs and No-CVEs detected with our data mining and machine learning models. These results are verified by our expert data research team for all supported languages.
Software Composition Analysis for DevSecOps Environments
Veracode SCA offers remediation guidance, SaaS-based scalability, and integration with Continuous Integration tools to provide users with visibility into all direct and indirect open source libraries in use, known and unknown vulnerabilities in those libraries, and how they impact applications, without slowing down development velocity.
Additionally, it is the only solution in the market that offers two options to start an SCA scan that offers insight into open source vulnerabilities, library versions, and licenses:
Scan via Application Binary Upload
Through the traditional application upload process, you’re able to upload your applications or binaries to the Veracode Application Security Platform so that you can run scans via the UI or an API.
SCA scans continue to run alongside Veracode Static Analysis. During the pre-scan evaluation for static scanning, Veracode executes the SCA scan to review the application’s composition, and the results are delivered while the static scan continues. Bill of materials, scores, policy definition, and open source license detection remain available for those application upload scans.
Agent-based scanning, integrated within the Veracode Application Security Platform, enables you to scan your source code repositories directly, either manually from the command line or in a Continuous Integration pipeline. The agent-based scanning process has been enhanced to include more open source license types available for detection in open source libraries. The libraries and vulnerabilities database has been enhanced with an increase of new vulnerabilities detected, and the ability to link project scans with application profiles for policy compliance, reporting, and PDF reports. Customers using Veracode SCA agent-based scanning can conduct:
- Vulnerable Method Detection: Pinpoint the line of code where developers can determine if their code is calling on the vulnerable part of the open source library.
- Auto Pull Requests: Veracode SCA identifies vulnerabilities and makes recommendations for using a safer version of the library. This feature automatically generates pull requests ready to be merged with your code in GitHub, GitHub Enterprise, or GitLab. It provides the fix for you.
- Container Scanning: Scan Docker containers and container images for open source vulnerabilities in Linux distributions and base libraries.
Users have the flexibility to use both scanning types for the same application. Agent-based scanning can be used during development, and a traditional binary upload scan can be conducted before the application is put into production. Scan results continue to be assessed against the chosen policy and prompt users to take action based on the results. These actions can be automated with integration to Jenkins (or another Continuous Integration tool) to either break the build because of a failed policy scan, or to simply report the failed policy.
It’s no exaggeration to say that every company is becoming a software company, and the adoption of open source is on the rise. Having clear visibility into the open source components within your application portfolio reduces the risk of breach through vulnerabilities. The new Veracode Software Composition Analysis solution helps our customers confidently use open source components without introducing unnecessary risk.
To learn more about Veracode Software Composition Analysis, download the technical whitepaper, “Accelerating Software Development with Secure Open Source Software.”