Software Composition Analysis

​

Overview

​

Key Features

• Vulnerability Database Integration: Continuously updated vulnerability detection using CVE databases and security advisories.
• Severity Filtering: Filter vulnerabilities by severity (Critical, High, Medium, Low) to prioritize remediation efforts.
• Package Health Analysis: Assess the overall health and maintenance status of your dependencies.
• Multi-Ecosystem Support: Analyze packages across npm, PyPI, Maven, RubyGems, NuGet, Go modules, and more.
• License Compliance: Identify license risks and ensure compliance with your organization’s policies.
• Dependency Tree Visualization: Understand the full dependency chain and identify transitive vulnerabilities.
• Update Recommendations: Get specific version recommendations for secure package updates.
• Autofixing: Automatically update vulnerable packages to secure versions (Coming soon).

​

How It Works

1. Select Repository: Choose the repository containing the package manifests you want to analyze.
2. Scan Dependencies: The system automatically detects and scans package.json, requirements.txt, pom.xml, Gemfile, and other dependency files.
3. Vulnerability Detection: Third-party packages are analyzed against known vulnerability databases and security advisories.
4. Filter Results: Use filtering options to focus on critical vulnerabilities or specific package ecosystems.
5. Review Impact: Examine detailed vulnerability information including CVE details, CVSS scores, and exploitation likelihood.
6. Remediation Guidance: Receive specific recommendations for updating or replacing vulnerable packages.
7. Autofix (Coming Soon): Automatically update vulnerable dependencies to secure versions with compatibility checks.

​

Supported Package Managers

• JavaScript/TypeScript: npm, yarn, pnpm
• Python: pip, pipenv, poetry
• Java: Maven, Gradle
• Ruby: Bundler
• .NET: NuGet
• Go: Go modules
• PHP: Composer
• Rust: Cargo