Open source libraries allow developers to meet the demands of today’s accelerated development times. However, they are also becoming the most popular attack vector. With Veracode Software Composition Analysis (SCA), teams can take advantage of open source libraries without increasing risk.
Identify Vulnerabilities In Open Source Libraries
Veracode SCA scans open source dependencies for known vulnerabilities and makes recommendations on version updating.
Learn more about the risk of open sources libraries
Veracode SCA integrates into the pipeline through a simple command-line scan agent and delivers results in seconds. Teams can even use the same agent directly in their IDE to get feedback earlier.
Find More Vulnerabilities Than The NVD
Not every developer who fixes a vulnerability in an open source project reports it to the National Vulnerability Database (NVD). Veracode uses data mining, natural language processing, and machine learning to significantly grow its SCA database.
Veracode SCA builds a call graph to identify which methods in the open source libraries are being used. By prioritizing vulnerabilities that lie in the execution path, companies reduce remediation time by up to 90 percent.
Assess Dependencies Several Layers Deep
Many open source libraries depend on other libraries. Veracode SCA finds vulnerabilities not only in direct dependencies but also several layers deep.
Get Remediation Guidance And Automation
Get advice on which library version to update to, or even have Veracode SCA generate the pull request for review.