Software Composition Analysis (SCA)
is the title for a task, typically part of any well-configured CI/CD chain. Latest after the check-in of new code, a worker will determine the used dependencies and all transitive dependencies. This bill of materials, respectively Software Bill of Materials (SBOM), will then be used to manage the released artefact throughout its life-cycle. SCA is the initial step for all subsequent work.
Use ts-scan to assess
the composition of your software!
Whether source code, binary or docker,
ts-scan will assess it for you.
Know what you are assessing
File-based analysis
- Some languages and compilers do not support packages
- Analysis needs to be done on the file level
- Necessary for provenance (snippet) scanning
- Can be done effectivly and quickly
- Repository will be the scope
- Challenge: submodules
Package analysis
- Many free tools are already available, e.g. ts-scan
- Beware of the mechanism: declaration only (1st level) or transitive (all)
- Depending on the language, there is more or less modification risk
- Package referencing remains an issue, especially across eco-sys e.g. jScript in Java, etc.
Container analysis
- NOTE: AVOID PREBUILT!
If possible, build all your containers by yourself! - Assessing the layers is possible, but not necessarily complete
- COPY – statements together with bash scripts bear high risks
- Docker includes „SBOM“ command since April 2022
- ts-scan also scans Docker containers
Binary analysis
- Generally difficult
- Environment & architecture specific
- Results are questionable, even through pre-built hash comparison
- What is the base of comparison?
- How long do you really want to provide uncontrollable 3rd-party software through your device?