SCA (Software Composition Analysis) is an analysis methodology for application components. The analysis enables detecting vulnerable components, security weaknesses, or licensing issues.
Companies tend to use more open-source components to expedite the development process. However, this can lead to security problems. A vulnerable component can become a potential entry point for malicious attacks.
The SCA solutions automatically analyze the application for open-source components. These tools detect vulnerable versions of components. In some cases, the SCA solutions can automatically fix or suggest to upgrade the component to a secure version. The SCA solutions can also inform users of license terms and restrictions, and notify them of deprecated dependencies.
A component may not contain vulnerabilities, but its dependencies may. To prevent such a scenario, the SCA tools analyze transitive dependencies too (for example, the dependencies of libraries used in an application).
The SCA solutions can detect vulnerabilities at both early and late stages of development. However, the earlier we introduce SCA into the development process the lower is the risk of reputational and financial problems. To enhance security through the detection of vulnerabilities and flaws, some tools provide both SCA and SAST functionality. For example, PVS-Studio for C# provides SCA.
The test web project uses RestSharp, a client for REST API. The application gets data in JSON format, the handler receives the data string and parses it using the extension method from RestSharp:
[HttpPost]
public IActionResult Index(string jsonDate)
{
DateTime dateTime = jsonDate.ParseJsonDate(CultureInfo.InvariantCulture);
// do something
return View();
}
The flaw lies in the ParseJsonDate function, which uses a vulnerable regular expression if the version of the RestSharp library is earlier than 106.11.7. This makes the entire application vulnerable to ReDoS attacks. You can look at this example in more detail in the article: "The risks of using vulnerable dependencies in your project, and how SCA helps manage them."
The SCA solutions analyze components of the application and their internal dependencies. These tools rely on open vulnerability databases such as CVE, NVD, etc. That's why SCA tools can identify the exact version of the component in use and any associated security weaknesses.
This happens in several steps:
After detecting a vulnerable component, we can either upgrade it to a secure version, replace it with another component, or add necessary checks to the code. This topic is described in detail in the documentation for the V5625 diagnostic rule. It is an implementation of the SCA functionality in the PVS-Studio analyzer.
0