Software Composition Analysis
Software composition analysis (SCA) identifies what open source dependencies are used in a registry, source repository or for a specific component.
Common use cases for Software Composition Analysis include detecting security vulnerabilities, license compliance issues and to produce Software Bill of Materials, SBOM, a standardized and shareable list of components in a piece of software.
SCA components of Bytesafe:
- Source repositories - Git repositories linked to Bytesafe. The Source Repository Scanner detects components in repositories and uses project files to identify both direct and transitive dependencies (software assets).
- Issues - Track security and license compliance for linked source repositories and for any package version held in an active Npm, Maven or NuGet registry. Search for specific packages, vulnerabilities, CVEs and review activity logs.
- SBOM - Export standardized lists of the components and dependencies in linked source repositories.
Bytesafe supports a growing number of ecosystems and package managers. Use the table below to set up your repository for the most accurate results.
|Ecosystem||Package Manager||Level (?)||Files||Comment|
||both v1 and v2 lock-files are supported|
||projects using legacy file to specify dependencies|
||virtualenv based projects
Bytesafe provides different levels of accuracy depending on the ecosystem and available files in the repository. For the most accurate results, generate the appropriate lock-files and commit them to the repository.
|EXACT||Most accurate analysis which includes both direct and transient dependencies with exact versions.|
|BEST EFFORT||Dependencies are resolved natively by Bytesafe. In some cases this can deviate in what version is resolved compared to what the ecosystem build tools would. Only direct dependencies are identified.|
|DIRECT||Only direct dependencies are identified.|
|NONE||No dependencies are identified. Add the appropriate project-, and lock-file to the repository for analysis.|
Bytesafe allows users to add Git repositories for continuous dependency and weakness analysis.
Most projects use open source dependencies. The direct dependencies are listed in project files like
pom.xml (Maven) or
Direct dependencies often have dependencies of their own - transitive dependencies, which makes the total number of dependencies much larger.
The Source Repository Scanner detects components in your repositories and uses existing lock files and project files to identify both direct and transitive dependencies.
Add a source repository
New source repositories can be added using either the URL of a Git repository or selected directly from a list of linked GitHub repositories when using the GitHub integration.
If the Git repository you are adding is private, provide credentials in the form.
Git branch information is optional. If none is provided the default branch will be selected.
After adding a source repository users are presented with a list of detected components. Select a component or view issues, the log and history in the available tabs on the page.
|Components||List of components found by the scanner. Based on identified project files, e.g.
|Issues||Lists issues filtered for the source repository (all components)|
|Log||Log for the latest snapshot created.|
|History||List the snapshot history for the source repository together with the Git commit for that snapshot. Select a snapshot from history to see details.|
|Settings||Settings for the source repository. Edit the repository URL or delete the source repository from Bytesafe.|
Select Git branch
If no other information is provided Bytesafe selects the default Git branch when adding a Git repository.
To select another branch, enter the branch name either when adding a new Source repository or edit the settings of a current one on the Settings tab.
Source repositories are scanned every 24 hours, starting from the point in time when a source repository was added. In addition, repositories are scanned vulnerabilities are added or updated in our database.
Additionally, users can enable rescan automation by adding the GitHub integration. Whenever project or lockfile changes are detected in a commit, Bytesafe will automatically scan the repository and create a new snapshot.
Trigger scan manually
In addition to scheduled and automated scans on changes, users can trigger scans manually in Bytesafe.
On any source repository page, click the Rescan button to create a new snapshot.
The source repository scanner will detect components in folders up to three levels deep from the root of the project.
Multilanguage monorepos are supported, so multiple components of different types can be detected in the same repository.
Components and their types are identified based on identified project files, e.g.
package.json for a npm project.
Select a component to view the detected dependencies, download SBOMs, review issues, read the log and see previous snapshot history.
Issues are automatically created when vulnerabilities are found for dependencies identified by the source repository scanner.
Issues can be searched and filtered on status, type and severity. For general information see Issues.
Users will automatically be notified of any found issues.
The source repository scanner analyzes lock files and project files to identify the exact dependencies and versions used for a component at a specific time.
Dependencies found will be displayed in the Dependencies list.
The list includes the package name and version, but also information on the type (direct or transitive dependency) as well as the scope (production, development, or test).
The snapshot creation log details information relating to the creation of a snapshot. This includes information on the number of dependencies, issues and source files.
The log can also be used to troubleshoot failed or missing snapshots, missing components etc.
Source repositories are periodically scanned according to the scan frequency. Each scan creates a snapshot that contains the state of the source repository at a specific time and commit. The history tab allows users to view their history of snapshots and easily switch between them.
Integration with GitHub
With an active GitHub integration source repository analysis in Bytesafe can be added for any linked GitHub repository.
Select the GitHub tab when adding a new source repository, open the drop down list and select a repository.
Rescan automation when detecting changes
A main benefit of the GitHub integration is that source repositories and components will automatically be rescanned when changes are detected in project files in the repository.
When a new commit alters the package dependencies in the GitHub repository, the integration automatically notifies Bytesafe.
Software Bill of Materials (SBOM)
Software Bill of Materials (SBOM) are standardized and shareable lists of the components in a piece of software.
SBOMs in Bytesafe are JSON files in a CycloneDX format.
# Example: SBOM JSON file for the Bytesafe source repo demo component
"name": "Bytesafe SBOM generator",
SBOMs can be downloaded either for a specific component or for all the components found in a source repository.
To export an SBOM, click the Download SBOM button on the applicable page.
For more information on the CycloneDX format, visit CycloneDX.org.