2.2 KiB
2.2 KiB
SCA (Software Composition Analysis)
Definition
SCA tools focus on the various software components of an application, including libraries and frameworks, to find known security flaws. They help reveal vulnerabilities that may occur when using third-party components.
Aliases
- Software Composition Analysis
- Dependency Analysis
- Open Source Security
Characteristics
- 依赖分析:扫描应用的所有第三方组件
- 已知漏洞匹配:与 CVE/NVD 数据库匹配
- 许可证合规:检查开源许可证合规性
- 供应链安全:关注依赖链中的安全问题
What SCA Detects
- 已知漏洞(Known Vulnerabilities)
- CVEs in dependencies
- Security advisories
- 过时组件(Outdated Dependencies)
- Known vulnerabilities in old versions
- Missing security patches
- 许可证问题(License Issues)
- GPL/AGPL restrictions
- Incompatible licenses
- 高风险依赖(Risky Dependencies)
- Unmaintained packages
- Malicious packages
Common CVE Databases
- National Vulnerability Database (NVD)
- GitHub Advisory Database
- Snyk Vulnerability Database
- OSV (Open Source Vulnerabilities)
Tools
- Snyk — 专注开源安全的 SCA 工具
- OWASP Dependency-Check
- WhiteSource (Mend)
- FOSSA
- Dependabot (GitHub)
Integration Points
- CI/CD Pipeline:在构建时自动扫描依赖
- IDE:开发者本地实时检查
- Registry Scanning:容器镜像仓库扫描
- SBOM Generation:软件物料清单生成
SBOM (Software Bill of Materials)
SCA 工具常用于生成 SBOM:
- 完整的依赖列表
- 版本信息
- 许可证信息
- 漏洞状态
Limitations
- 仅检测已知漏洞(零日漏洞无法检测)
- 需要保持漏洞数据库更新
- 可能产生误报
Related Concepts
- DevSecOps — SCA 是其重要组件
- SAST — 静态应用安全测试
- DAST — 动态应用安全测试
- Supply-Chain-Security — 供应链安全
- SBOM — 软件物料清单
- Zero-Day-Vulnerability — 零日漏洞