support for analyzing manifests of package ecosystems: Maven, Gradle, NPM, NuGet, PyPi, Ruby Gems, Cocoapods, Composer, Conan, Go Modules, Cargo and sbt;
integration with proxy repositories: Nexus Repository Manager, JFrog Artifactory Pro;
integration with version control systems: Gitlab, Github, Bitbucket and Azure DevOps;
universal integration into build systems using a CLI agent: Jenkins, Gitlab, Teamcity, etc.;
maintaining a component inventory (SBoM, Software Bill of Materials);
reports;
management of notification policies;
integration of mail notifications;
integration with the task management system Jira;
user management system and integration via LDAP;
differentiation of access rights for different users;
logging of all performed operations (audit log);
open API for integration with any element of the system.
Functional characteristics of SCA (Software Composition Analysis)¶
analysis of Docker images;
analysis of system packages;
analysis of package manager manifests;
Open Source check at all stages of the DevSecOps cycle with the ability to set security policies for individual project stages:
checks in the CI pipeline by a universal agent with the ability to block the build;
check on the developer’s local machine (CLI agent);
detection of Open Source dependencies:
by ecosystem, package name and version;
according to configuration files (manifests) of package managers;
through the mechanism for resolving transitive dependencies;
through a mechanism for identifying Open Source inclusions using a vendor metadata database and flexible search algorithms;
separation of direct and transitive dependencies and determination of the relationship to development environments (scope): runtime, compile, test, provided and others;
construction of dependency graph with the ability to trace the use of transitive components;
updating information about detected dependencies:
general information: detection method; package release date; package author; official web page; link to the index; application environment (scope) and link to the dependency graph; link to manifest;
information about vulnerabilities;
information about licenses;
usage in the organization’s projects;
providing information about vulnerabilities:
identifiers in knowledge bases;
description of the vulnerability;
severity assessment according to CVSS 2 and CVSS 3.1;
links to additional vulnerability indexes;
recommended package version for update;
list of all projects affected by the vulnerability;
additional links to vulnerabilities containing links to patches, exploits and vulnerable commits;
provision of information about licenses:
licensed landscape of the project;
SPDX-license identifier;
license text;
a brief introduction to the license terms;
information about license compatibility (license compliance);
identification and deduplication of vulnerabilities from knowledge bases:
NIST National Vulnerability Database (NVD);
Databank of information security threats (BDU FSTEC);
Github Security Advisory (GHSA);
Open Source Vulnerabilities (OSV);
Sonatype OSSIndex;
Kaspersky Open Source Software Threats Data Feed (connected upon request);
Vendor feed (protestware).
setting up security rules (policies) according to 30 criteria, including:
categories and types of licenses, vendor's license purity policy;
according to the characteristics of the package: directive/transitive and environment (scope);
according to package blacklists, including the prepared feed toxic-repos (protestware);
setting up security policies separately for scanning code in repositories, in proxy repositories, CI pipeline and the local developer machine, indicating the stages of project development (stages);
a system for displaying scan results for each individual stage and the ability to manage ignored events;
an ability to configure protection against popular attacks on the supply chain;
an ability to configure policy ignores by different parameters: organization: project; technologies; package; license type; vulnerability identifier; for individual policies; ability to specify temporary event ignoring (from to).
Functional characteristics of TQI (Teams & Quality Intelligence)¶
building a profile of projects, detailing the technical and authoring composition of the development;
building a profile of developers, detailing their work in the analyzed projects, taking into account the amount of work and the quality of the changes made;
automatic scoring of similar developers in analyzed projects:
by experience in projects and technologies;
by similarity of technical base;
by proximity in quality characteristics;
search for developer activity in Open Source projects;
analysis of borrowings using fuzzy search algorithms (tolerance to renaming objects in the code):
search for intra-project code duplicates;
search for cross-project code duplicates;
determination of the volume of borrowings found;
construction of an interactive map of borrowings;
determination of the time of occurrence of borrowing;
linking authorship to found duplicate codes;
assessment of the complexity of project support:
calculation of cyclomatic complexity of code in the context of a project;
calculation of cyclomatic complexity of code in the context of the author;
construction of analytical retrospective maps:
project development;
works of authors;
evolution of project complexity.
integration into the software development cycle (SDLC) through integration with source code versioning systems.