Sep 15 2023

SCA (Software Composition Analysis)

Sep 15 2023

Why use SCA?
An example of how SCA works
How SCA works

SCA (Software Composition Analysis) is an analysis methodology for application components. The analysis enables detecting vulnerable components, security weaknesses, or licensing issues.

Why use SCA?

Companies tend to use more open-source components to expedite the development process. However, this can lead to security problems. A vulnerable component can become a potential entry point for malicious attacks.

The SCA solutions automatically analyze the application for open-source components. These tools detect vulnerable versions of components. In some cases, the SCA solutions can automatically fix or suggest to upgrade the component to a secure version. The SCA solutions can also inform users of license terms and restrictions, and notify them of deprecated dependencies.

A component may not contain vulnerabilities, but its dependencies may. To prevent such a scenario, the SCA tools analyze transitive dependencies too (for example, the dependencies of libraries used in an application).

The SCA solutions can detect vulnerabilities at both early and late stages of development. However, the earlier we introduce SCA into the development process the lower is the risk of reputational and financial problems. To enhance security through the detection of vulnerabilities and flaws, some tools provide both SCA and SAST functionality. For example, PVS-Studio for C# provides SCA.

An example of how SCA works

The test web project uses RestSharp, a client for REST API. The application gets data in JSON format, the handler receives the data string and parses it using the extension method from RestSharp:

[HttpPost]
public IActionResult Index(string jsonDate)
{
  DateTime dateTime = jsonDate.ParseJsonDate(CultureInfo.InvariantCulture);

  // do something

  return View();
}

The flaw lies in the ParseJsonDate function, which uses a vulnerable regular expression if the version of the RestSharp library is earlier than 106.11.7. This makes the entire application vulnerable to ReDoS attacks. You can look at this example in more detail in the article: "The risks of using vulnerable dependencies in your project, and how SCA helps manage them."

How SCA works

The SCA solutions analyze components of the application and their internal dependencies. These tools rely on open vulnerability databases such as CVE, NVD, etc. That's why SCA tools can identify the exact version of the component in use and any associated security weaknesses.

This happens in several steps:

The user runs the analysis with the SCA solution.
The SCA solution collects information about dependencies, components, and transitive dependencies. The tool compiles a Bill of Materials (BOM), a list of third-party components that are used in the application.
It searches for matches in the entire vulnerability database for all BOM components. If the SCA tool gets from the database all the necessary information about a flaw in the version of a component, it generates a corresponding message. In the same way, the tool checks for compliance with licensing terms and restrictions.
The SCA solution informs users about detected vulnerabilities, deprecated components, or licensing issues. It may generate a description of the defect, the component version affected, the CVE and CWE identifiers, the CVSS-based severities. The SCA solution can suggest fixes such as an update of a vulnerable component.

After detecting a vulnerable component, we can either upgrade it to a secure version, replace it with another component, or add necessary checks to the code. This topic is described in detail in the documentation for the V5625 diagnostic rule. It is an implementation of the SCA functionality in the PVS-Studio analyzer.