Software Composition Analysis (SCA) is the process of figuring out which third-party dependencies are used in your project. It's an essential part of the software security process as it helps you to answer questions like:
- Does my project contain third party dependencies with known vulnerabilities (CVEs)?
- Does my project contain third party dependencies with risky licenses?
- Does my project comply with all legal requirements imposed by the upstream projects?
In this post we'll look at some popular open-source SCA options. It's not intended to be comprehensive, let me know if I missed anything! Adding one or more of these projects to your CI/CD process will really improve your Supply Chain Security process.
If your project is hosted on GitHub, then the first port of call for SCA is to enable GitHub Dependabot. You have the options to just enable alerts, which let you know if your dependencies have known CVEs, and also to have Dependabot automatically create pull requests to upgrade the dependencies in question to fix the vulnerability. Adding CI using GitHub Actions to this process to verify that the updates don't break any of the tests/build means fixing CVEs is a straightforward process. Dependabot has support for a wide range of software ecosystems.
GitHub recently added support as well to download an SPDX SBOM for a GitHub repository via e.g for Apache CXF https://github.com/apache/cxf/dependency-graph/sbom.
OWASP Dependency-Check is another tool that can help you find CVEs in your dependencies. It's useful as an alternative to dependabot if you don't have access to the security tab of a GitHub project, or if Dependabot is otherwise not enabled. You can run it on a Maven project via:
- mvn org.owasp:dependency-check-maven:check
Aqua Trivy is a really useful tool for SCA as it can help with a wide range of scenarios:
- Scan a docker image for CVEs/Secrets: trivy image tomcat:9.0
- Exclude secret scanning: trivy --security-checks vuln image tomcat:9.0
- Exclude OS level CVEs: trivy --security-checks vuln --vuln-type library image tomcat:9.0
- Scan a GitHub repository: trivy repository https://github.com/apache/cxf
- Scan the filesystem at the current working directory: trivy fs .
Anchore Syft is a tool which can help you with generating an SBOM from an image or filesystem:
- Generate a CycloneDX SBOM from a docker image: syft -o cyclonedx-json tomcat:9.0
- Generate an SBOM from a war file: syft packages ./fedizhelloworld.war
Anchore Grype is another super-useful tool that works well with Syft:
- Scan the current working directory for CVEs: grype dir:.
- Scan a docker image for CVEs: grype tomcat:9.0
- Scan a CycloneDX SBOM produced by Syft for CVEs: grype sbom:./sbom.json
Yet another tool is Google's OSV-Scanner:
- Scan a docker image for CVEs: osv-scanner --docker tomcat:9.0
- Scan the local filesystem for CVEs: osv-scanner -r .