Veracode — SourceClear SCA Analysis
Open-source libraries allow developers to meet the demands of today’s accelerated development times. However, they are also becoming the most popular attack vector. With Veracode Software Composition Analysis (SCA), teams can take advantage of open-source libraries without increasing risk.
Veracode SCA scans open-source dependencies for known vulnerabilities and makes recommendations on version updating.
Veracode SCA integrates into the pipeline through a simple command-line scan agent and delivers results in seconds. Teams can even use the same agent directly in their IDE to get feedback earlier.
Not every developer who fixes a vulnerability in an open-source project reports it to the National Vulnerability Database (NVD). Veracode uses data mining, natural language processing, and machine learning to significantly grow its SCA database.
Veracode SCA builds a call graph to identify which methods in the open-source libraries are being used. By prioritizing vulnerabilities that lie in the execution path, companies reduce remediation time by up to 90 percent.
Many open-source libraries depend on other libraries. Veracode SCA finds vulnerabilities not only in direct dependencies but also several layers deep.
Get advice on which library version to update to, or even have Veracode SCA generate the pull request for review.
Demo of how to use the SCA Analysis :
- We need to login to to this site and register our company URL and then we will get the basic login details for us .
We need to now install the source clear on our local terminal where we are cloning our code .
to install the veracode sourcelear we need to use the following command .
curl -sSL https://srcclr.com/install | sh
Next we need to activate the source clear by the below command .
srcclr activate
Paste the token you copied into your terminal and press Enter.
After entering your activation token, your agent.yml configuration file is installed to the ~/.srcclr folder. If that file already exists, you are prompted to enter a profile name. This profile name allows you to choose which token you use when scanning. Veracode recommends that you use the name of the workspace with which the token is associated.
Now we will be able to see the report from the same command line or also we will get the URL from which also we can login and see the results with the username and password that you have received on the email when we register it .
This we can integrate as part of our CICD pipeline as well . By this way we can check the vulnerability of the code and open source components in our application .
In another session we will see the another great tool from Veracode called as “GREENLIGHT” .
