72 lines
2.2 KiB
Markdown
72 lines
2.2 KiB
Markdown
# SCA (Software Composition Analysis)
|
||
|
||
## Definition
|
||
SCA tools focus on the various software components of an application, including libraries and frameworks, to find known security flaws. They help reveal vulnerabilities that may occur when using third-party components.
|
||
|
||
## Aliases
|
||
- Software Composition Analysis
|
||
- Dependency Analysis
|
||
- Open Source Security
|
||
|
||
## Characteristics
|
||
- **依赖分析**:扫描应用的所有第三方组件
|
||
- **已知漏洞匹配**:与 CVE/NVD 数据库匹配
|
||
- **许可证合规**:检查开源许可证合规性
|
||
- **供应链安全**:关注依赖链中的安全问题
|
||
|
||
## What SCA Detects
|
||
- **已知漏洞**(Known Vulnerabilities)
|
||
- CVEs in dependencies
|
||
- Security advisories
|
||
- **过时组件**(Outdated Dependencies)
|
||
- Known vulnerabilities in old versions
|
||
- Missing security patches
|
||
- **许可证问题**(License Issues)
|
||
- GPL/AGPL restrictions
|
||
- Incompatible licenses
|
||
- **高风险依赖**(Risky Dependencies)
|
||
- Unmaintained packages
|
||
- Malicious packages
|
||
|
||
## Common CVE Databases
|
||
- National Vulnerability Database (NVD)
|
||
- GitHub Advisory Database
|
||
- Snyk Vulnerability Database
|
||
- OSV (Open Source Vulnerabilities)
|
||
|
||
## Tools
|
||
- [[Snyk]] — 专注开源安全的 SCA 工具
|
||
- OWASP Dependency-Check
|
||
- WhiteSource (Mend)
|
||
- FOSSA
|
||
- Dependabot (GitHub)
|
||
|
||
## Integration Points
|
||
- **CI/CD Pipeline**:在构建时自动扫描依赖
|
||
- **IDE**:开发者本地实时检查
|
||
- **Registry Scanning**:容器镜像仓库扫描
|
||
- **SBOM Generation**:软件物料清单生成
|
||
|
||
## SBOM (Software Bill of Materials)
|
||
SCA 工具常用于生成 SBOM:
|
||
- 完整的依赖列表
|
||
- 版本信息
|
||
- 许可证信息
|
||
- 漏洞状态
|
||
|
||
## Limitations
|
||
- 仅检测已知漏洞(零日漏洞无法检测)
|
||
- 需要保持漏洞数据库更新
|
||
- 可能产生误报
|
||
|
||
## Related Concepts
|
||
- [[DevSecOps]] — SCA 是其重要组件
|
||
- [[SAST]] — 静态应用安全测试
|
||
- [[DAST]] — 动态应用安全测试
|
||
- [[Supply-Chain-Security]] — 供应链安全
|
||
- [[SBOM]] — 软件物料清单
|
||
- [[Zero-Day-Vulnerability]] — 零日漏洞
|
||
|
||
## Sources
|
||
- [[what-is-devsecops-best-practices-benefits-and-tools]]
|