Software Composition Analysis

Scan & identify software assets in your supply chain

Software composition analysis (SCA) identifies what open source dependencies are used in a registry, source repository or for a specific component.

Common use cases for Software Composition Analysis include detecting security vulnerabilities, license compliance issues and to produce Software Bill of Materials, SBOM, a standardized and shareable list of components in a piece of software.

SCA components of Bytesafe:

  • Source repositories - Git repositories linked to Bytesafe. The Source Repository Scanner detects components in repositories and uses project files to identify both direct and transitive dependencies (software assets).
  • Issues - Track security and license compliance for linked source repositories and for any package version held in an active Npm, Maven or NuGet registry. Search for specific packages, vulnerabilities, CVEs and review activity logs.
  • SBOM - Export standardized lists of the components and dependencies in linked source repositories.

Source repositories

Bytesafe allow users to add Git repositories for continuous dependency and weakness analysis.

Most projects use open source dependencies. The direct dependencies are listed in project files like package.json (npm), pom.xml (Maven) or .csproj (NuGet). Direct dependencies often have dependencies of their own - transitive dependencies, which makes total number of dependencies much larger.

The Source Repository Scanner detects components in your repositories and uses existing lockfiles and project files to identify both direct and transitive dependencies.

Add a source repository

New source repositories can be added using either the URL of a Git repository or selected directly from a list of linked GitHub repositories when using the GitHub integration.

Add a Git source repository

If the Git repository you are adding is private, provide credentials in the form.

Git branch information is optional. If none is provided the default branch will be selected.

Private GitHub repositories (without the GitHub integration) require a personal access token as the password. No username is required.

After adding a source repository users are presented with a list of detected components. Select a component or view issues, the log and history in the available tabs on the page.

Tab Description
Components List of components found by the scanner. Based on identified project files, e.g. package.json for an npm project.
Issues Lists issues filtered for the source repository (all components)
Log Log for the latest snapshot created.
History List the snapshot history for the source repository together with the Git commit for that snapshot. Select a snapshot from history to see details.
Settings Settings for the source repository. Edit the repository URL or delete the source repository from Bytesafe.

Select Git branch

If no other information is provided Bytesafe selects the default Git branch when adding a Git repository.

To select another branch, enter the branch name either when adding a new Source repository or edit the settings of a current one on the Settings tab.

Select Git branch for a source repository

Scan frequency

Source repositories are scanned every 24 hours, starting from the point in time when a source repository was added. In addition, repositories are scanned vulnerabilities are added or updated in our database.

Additionally, users can enable rescan automation by adding the GitHub integration. Whenever project or lockfile changes are detected in a commit, Bytesafe will automatically scan the repository and create a new snapshot.

Trigger scan manually

In addition to scheduled and automated scans on changes, users can trigger scans manually in Bytesafe.

On any source repository page, click the Rescan button to create a new snapshot.

Trigger source repository scan manually in Bytesafe

Detected components

The source repository scanner will detect components in folders up to three levels deep from the root of the project. Monorepos are supported, so multiple components of different types can be detected in the same repository.

components identified by the source repository scanner in Bytesafe

Components and their types are identified based on identified project files, e.g. package.json for an npm project.

Supported components:

Type Description
Npm modules Analysis based on project files package.json and lockfiles package-lock.json, yarn.lock, pnpm-lock.yaml
NuGet modules Analysis based on project files .csproj and lockfiles packages.lock.json
Gradle components Analysis based on project files build.gradle (or build.gradle.kt) and lockfiles gradle.lockfile
Go modules Analysis based on project files go.mod and go.sum
Coming soon: Source repository analysis for Maven projects.

Select a component to view the detected dependencies, download SBOMs, review issues, read the log and see previous snapshot history.

Issues

Issues are automatically created when vulnerabilities are found for dependencies identified by the source repository scanner.

Issues can be searched and filtered on status, type and severity. For general information see Issues.

issues for a source repository component

Users will automatically be notified of any found issues.

Dependencies

The source repository scanner analyzes lockfiles and project files to identify the exact dependencies and versions used for a component at a specific time.

Dependencies found will be displayed in the Dependencies list.

The list includes the package name and version, but also information on the type (direct or transitive dependency) as well as the scope (production, development, or test).

Identified dependencies for a source repository component

Log

The snapshot creation log details information relating to the creation of a snapshot. This includes information on the number of dependencies, issues and source files.

The log can also be used to troubleshoot failed or missing snapshots, missing components etc.

Log for a source repository component snapshot

History

Source repositories are periodically scanned according to the scan frequency. Each scan creates a snapshot that contains the state of the source repository at a specific time and commit. The history tab allows users to view their history of snapshots and easily switch between them.

Snapshot history for a source repository component

Integration with GitHub

With an active GitHub integration source repository analysis in Bytesafe can be added for any linked GitHub repository.

Select the GitHub tab when adding a new source repository, open the drop down list and select a repository.

add source repository using GitHub integration in Bytesafe

Rescan automation when detecting changes

A main benefit of the GitHub integration is that source repositories and components will automatically be rescanned when changes are detected in project files in the repository.

When a new commit alters the package dependencies in the GitHub repository, the integration automatically notifies Bytesafe.

Software Bill of Materials (SBOM)

Software Bill of Materials (SBOM) are standardized and shareable lists of the components in a piece of software.

SBOMs in Bytesafe are JSON files in a CycloneDX format.

# Example: SBOM JSON file for the Bytesafe source repo demo component

{

"bomFormat": "CycloneDX",

"specVersion": "1.4",

"serialNumber": "urn:uuid:ceafb7f8-996e-11ec-96f6-0213bb11c0fe",

"version": 1,

"metadata": {

"timestamp": "2022-02-28T20:14:17Z",

"tools": [

{

"vendor": "Bytesafe",

"name": "Bytesafe SBOM generator",

"version": "1.0.0"

}

],

"component": {

"bom-ref": "pkg:npm/bitfront-se/bytesafe-source-repo-demo@1.2.3?repository_url=https:/github.com/bitfront-se/bytesafe-source-repo-demo",

"type": "library",

"name": "bytesafe-source-repo-demo",

"version": "1.2.3",

"purl": "pkg:npm/bitfront-se/bytesafe-source-repo-demo@1.2.3?repository_url=https:/github.com/bitfront-se/bytesafe-source-repo-demo"

}

},

"components": [

{

"bom-ref": "pkg:npm/%40babel/runtime@7.17.2",

"type": "library",

"group": "@babel",

"name": "runtime",

"version": "7.17.2",

...

SBOMs can be downloaded either for a specific component or for all the components found in a source repository.

To export an SBOM, click the Download SBOM button on the applicable page.

download sbom json file for a component from Bytesafe

For more information on the CycloneDX format, visit CycloneDX.org.