SCA
SCA stands for Source Composition Analysis The tool analyzes dependencies, or third-party libraries used by an application and evaluates their security.
In the SCA analysis, we strive for the application to comply with the following rules:
-
Use components with minimal dependencies
-
Verify all third-party components for security risks
Supported languages
The following languages and package managers are supported:
Package Manager | Versions supported | Languages | File extensions | Total Advisories |
---|---|---|---|---|
NPM | 1 to 3 | Javascript/Typescript | package.json, package-lock.json | 15480 |
Yarn | 1 | Javascript/Typescript | package.json, yarn.lock | 15480 |
pNPM | 1 | Javascript/Typescript | package.json, pnpm-lock.yaml | 15480 |
pip | >20.0 | Python | requirements.txt | 12676 |
poetry | >1.0.0 | Python | poeatry.lock | 12676 |
maven | >3.0.0 | Java | pom.xml | 10432 |
gradle | >5.1 | Java | .gradle, build.gradle.kts | 10432 |
SBT | All | Java | build.sbt | 10432 |
Composer | >1.0.0 | PHP | composer.json, composer.lock | 6167 |
Go | All | Go | go.mod | 3196 |
NuGet | All | C# | csproj | 2988 |
RubyGems | >3.5 | Ruby | Gemfile, Gemfile.lock | 1685 |
Cargo | All | Rust | Cargo.toml, Cargo.lock | 691 |
Conan | >2.0 | C, C++ | conanfile.txt, conan.lock, conanfile.py | 549 |
Swift | All | Swift | Packages.resolved | 30 |
Hex | All | Erlang | mix.exs, mix.lock | 24 |
Docker Images | All | Docker | N/A | 11 |
Github Actions | All | yaml | workflows.yaml | 15 |
Pub | All | Dart | pubspec.yaml | 7 |
Sources
The scanner uses the following sources to obtain the CVEs of reported security advisories: