What is Software Composition Analysis?


Software Composition Analysis is performed to identify the dependency packages/libraries for the project and check those against known vulnerabilities.


The following components are there in this phase:

  • SCA tools i.e. Flawfinder, Graudit, Bandit, Spotbugs, SonarQube


People involved: Developers

External sources

Why is it important in DevSecOps? 

It is very common for the projects to use 3rd party open-source libraries to extend their capabilities. However, as a downside, if the library has any security issue or vulnerability, it can also affect the project. By running the checks every time the DevSecOps pipeline runs, the risk of using vulnerable/outdated components. 

What will you learn in this section? 

The user will learn to perform the following tasks

  • Perform the Software Composition Analysis on projects


Tools Covered

  • Retire.js

  • OSSAudit

  • OWASP Dependency-Check


Labs

  • Retire.js: Finding Vulnerable Libraries

  • A Kali machine is provided to the user with Retire.js installed on it. The source code for three sample web applications is provided in the home directory of the root user. 
    Objective: Scan the web applications with Retire.js and find vulnerable/insecure libraries!
  • OSSAudit: Auditing Python Packages

    • A Kali machine is provided to the user with OSSAudit installed on it. The source code for three Python web applications is provided in the home directory of the root user.    

         Objective: Use OSSAudit utility to find issues in web applications!

  • OWASP Dependency-Check

    • A Kali machine is provided to the user with Dependency-Check installed on it. The source code for three sample web applications is provided in the home directory of the root user.
      Objective: Use OWASP Dependency-Check to detect vulnerable code dependencies!

User Avatar

Safety: Python Dependency Check

User Avatar

OSSAudit: Auditing Python Packages

User Avatar

OWASP Dependency-Check

User Avatar

Bundler Audit: Scanning vulnerabilities in ...