SCA
SCA stands for Source Composition Analysis The tool analyzes dependencies, or third-party libraries used by an application and evaluates their security.
In the SCA analysis, we strive for the application to comply with the following rules:
-
Use components with minimal dependencies
-
Verify all third-party components for security risks
Supported languages
The following languages and package managers are supported:
| Package Manager | Versions supported | Languages | File extensions | Total Advisories |
|---|---|---|---|---|
| NPM | 1 to 3 | Javascript/Typescript | package.json, package-lock.json | 15480 |
| Yarn | 1 | Javascript/Typescript | package.json, yarn.lock | 15480 |
| pNPM | 1 | Javascript/Typescript | package.json, pnpm-lock.yaml | 15480 |
| pip | >20.0 | Python | requirements.txt | 12676 |
| poetry | >1.0.0 | Python | poeatry.lock | 12676 |
| maven | >3.0.0 | Java | pom.xml | 10432 |
| gradle | >5.1 | Java | .gradle, build.gradle.kts | 10432 |
| SBT | All | Java | build.sbt | 10432 |
| Composer | >1.0.0 | PHP | composer.json, composer.lock | 6167 |
| Go | All | Go | go.mod | 3196 |
| NuGet | All | C# | csproj | 2988 |
| RubyGems | >3.5 | Ruby | Gemfile, Gemfile.lock | 1685 |
| Cargo | All | Rust | Cargo.toml, Cargo.lock | 691 |
| Conan | >2.0 | C, C++ | conanfile.txt, conan.lock, conanfile.py | 549 |
| Swift | All | Swift | Packages.resolved | 30 |
| Hex | All | Erlang | mix.exs, mix.lock | 24 |
| Docker Images | All | Docker | N/A | 11 |
| Github Actions | All | yaml | workflows.yaml | 15 |
| Pub | All | Dart | pubspec.yaml | 7 |
Sources
The scanner uses the following sources to obtain the CVEs of reported security advisories: