SCA Scanner
Overview
Software developers are relying more and more on open source components to expedite the software development process. Projects often use numerous open source libraries, each of which calls on numerous direct and transitive dependencies. No matter how secure your proprietary code is, these open source dependencies can expose you to a broad range of security and legal risks.
The SCA scanner is Checkmarx's proprietary Software Composition Analysis (SCA) solution for detecting risks associated with your open source dependencies. Checkmarx SCA enables you to easily identify, prioritize, and remediate the risks posed by your open source packages. These risks may include security vulnerabilities, license requirements and outdated open source packages. SCA addresses all of these issues, providing highly accurate, relevant, and actionable insights.
Key Features
Exploitable Path
Prioritizing remediation of the many open source vulnerabilities identified by Checkmarx SCA can be a challenging task. It isn’t always apparent whether the vulnerable packages are actually being called by your project and whether the vulnerable methods are actually being used by your code. The key question is: Is there a path from your project code into the vulnerable package code, whereby the vulnerable packages could be exploited in your project? If not, then remediation is a much lower priority.
This is where the Exploitable Path feature is essential. Checkmarx SCA leverages SAST’s ability to scan the actual project code itself in parallel with scanning the manifest file, in order to validate whether the vulnerable open source packages are called from your proprietary code and whether the vulnerable methods are actually used by your code. This enables you to focus on the remediation of actively exploitable vulnerabilities.
Exploitable Path also identifies which lines in your project code actually reach the vulnerable method in the vulnerable package and shows you the full path to the vulnerability.
Key Benefits
Verify whether the vulnerable methods in the open source packages are being called by your proprietary code.
Prioritize remediation of exploitable vulnerabilities.
See the full path from the project code to the vulnerable method.
Current Limitations
Supported languages: Python, Java, JavaScript and C#.
Using the Exploitable Path feature might cause scans to take longer time.
We find exploitable paths only for packages that are called directly in the code and where the vulnerable method is in the called package itself.
Exploitable paths created by reflection are not supported.
Not all open source packages have been scanned for Exploitable path yet. However, once the user scans a project with a particular package, the package gains priority and will be scanned in the next 48 hours.
Exploitable Path feature is limited to the Checkmarx SAST engine capabilities, such as languages and types of runtime loads.
Exploitable Path is based on results from the most recent full SAST scan of the project, results from incremental scans aren't considered.
Packages exceeding 100Mb are not scanned.
Exploitable Path information is not updated when Risk Recalculation is run on a scan. You need to run the scan again to get the Exploitable Path results.
For JavaScript projects, Exploitable Path doesn’t identify:
packages using anonymous exports, e.g.,
module.exports = function(options) {....}.constructor patterns in the source code, e.g.,
const someObject= Requier("jwt")someObject(options)
Enabling Exploitable Path
Exploitable path can be activated on the account level under Acccount Settings > SCA, or on the project level under the Project Settings > Rules > SCA rule. When activating Exploitable Path on the account level, you can configure whether or not results from previous SAST scans will be used for identifying Exploitable Path (and for how long they will be considered valid).
SCA Resolver
Checkmarx SCA Resolver is an on-prem utility that enables you to resolve and extract dependencies and fingerprints from your source code and send them to the Checkmarx One platform for risk analysis. The Resolver uses command line interface (CLI) commands to configure and scan your Projects.
Checkmarx SCA Resolver enables you to run a comprehensive SCA scan without the need to send your actual source code to the cloud. It also enables you to scan private (local) dependencies that aren’t accessible to the Checkmarx One platform.
For Checkmarx One accounts, Resolver is run via the Checkmarx One CLI, by adding the relevant flags to the scan create command. Resolver runs in Offline mode and the results are automatically sent to the Checkmarx One cloud for analysis.
After the File Analysis and Dependency Resolution are completed on-prem, the output of the analysis, the “evidence files”, are sent to the cloud for the final process of Evidence Analysis.
The project name
List of all file names and relative paths (except the ones that were excluded from the scan)
Various checksums of the files (SHA-1, SHA-1 on content without spaces, etc.)
Manifest files (except for scans run via Resolver with the
--no-upload-manifestflag)
Notice
The complete list of files that are sent to the cloud can be seen in Files Used for Manifest Resolution.
Names of dependencies extracted from manifest files
Scan errors and warnings such as “Failed resolving dependencies”. Each warning message may contain a file path as an argument.
SAST Exploitable Path Query result (for Exploitable Path scans)
Delta Scans
The Delta scan feature dramatically cuts the time of SCA scans when rescanning an existing project., if the manifest files haven’t been changed since the last scan, then we skip the dependency resolution process. This can cut scan times by up to 95% without detracting from the accuracy of the scan.
Once a week a full scan is enforced even if no changes were detected in the manifest files. This is intended to identify version changes caused by use of ranged versions.
When a scan runs as a Delta scan, an indication is shown in the Resolving Info dialog in the SCA scan results viewer.
Current Limitations
Only applies to scans run in the cloud, not to scans using SCA Resolver.
Supported for all languages and package managers for which dependency resolution is done using manifest files except for C and C++.
Does not apply to languages for which dependency resolution is done by file analysis (fingerprint method).
- Currently available only in Multi-Tenant environments, not for Single-Tenant.
SCA Auto Pull Request
For Code Repository Integration projects, you can configure automatic submission of pull requests to remediate SCA vulnerabilities. The PR updates the package versions specified in your manifest file with remediated versions of those packages based on Checkmarx's recommendations. This feature is supported for all supported SCMs (GitHub, GitLab, Bitbucket and Azure DevOps).
This feature can be activated on the project level by turning on the SCA Auto Pull Request toggle in the project settings.
Limitations
Currently supported only for npm
package.jsonmanifest files.
Export Remediated Manifest File
You can generate remediated manifest file/s that contain the recommended versions of your packages. You can download the remediated manifest files and use them to update your project.
You can export the remediated manifest file/s from the SCA scan results viewer page. The file/s is exported as a zip archive, which maintains your project's file structure.
Notice
Current limitations:
Supported only for npm
package.jsonmanifest filesRemediates only direct dependencies (not transitive)
Because this method updates all vulnerable packages (sometimes changing a major version) it may break methods used in your code. You may need to refactor your code to avoid changes in functionality.
Scan Reports and SBOM Reports
Results from the SCA scanner are returned together with results from other scanners is the Checkmarx One Scan Reports and Projects Reposts. See Checkmarx One Reports
In addition, you can generate specialized SCA scan reports as well as Software Bill of Materials (SBOM) reports based on the packages identified by SCA.
Scanning SBOMs
You can run an SCA scan on an SBOM file. The scan is run as a Checkmarx One project, with the source specified as an SBOM file. The SCA scanner returns comprehensive results of all risks associated with your open source packages. This enables customers who don’t want to submit their actual code, to obtain comprehensive SCA results for their project and manage the remediation via Checkmarx One.
Note
This capability is distinct from the capability to analyze an SBOM using the POST /analysis/requests API. The new method shows SCA results in the context of an actual Checkmarx One project, as opposed to just returning a report with the enriched SBOM data.
Limitations:
Supported upload formats CycloneDX (v1.0-1.6) and SPDX (v2.2)
It is mandatory to include the Package URL (purl) for each package in the SBOM. For more information about purl syntax, see here.
Can only be run from the UI (not CLI or API)
Only the SCA scanner can run on an SBOM
Can only run on a “manual” project (not a code repository integration)
AI Guided Package Remediation
When the SCA scanner identifies a vulnerable package in your project and there is no remediated version available, a button is shown that enables you to get AI generated suggestions for non-vulnerable replacement packages.
Policy Management
Create customized policies with conditions relating to results from the SCA scanner. Conditions can relate to packages, vulnerabilities, malicious packages, and licenses.
For more information, see SCA Policy Conditions.