Integration stages¶
The software composition analysis system CodeScoring is integrated into the software development life cycle in order to prevent known vulnerabilities and license-incompatible or dangerous components from entering the final product at all stages of software product creation:
- The stage of downloading Open Source components from external sources into a proxy repository of an organization;
- Stage of development or maintenance of program code;
- Stage of assembling software products;
The general diagram of the controlled stages of software development is presented below:
Stage of downloading Open Source components¶
To speed up software assembly processes, intermediate storages of software components are used in development - proxy repositories. Typically, proxy repositories are located within an organization's secure loop and provide caching processes for software libraries used by developers. Additionally, these repositories can be used to store your own versions of assemblies and modules that make up the organization's software products.
The leaders in this class of solutions are systems such as Nexus Repository Manager from Sonatype and JFrog Artifactory PRO from JFrog.
The CodeScoring solution provides integration with both presented systems using a special extension plugin CodeScoring OSA. The task of the plugin is to perform a check for compliance with the configured policies for each request to the stored component and, in case of non-compliance, block the downloading of the component with the option of completely removing it from the storage. This approach makes it possible to prevent the emergence of new vulnerable components in artifact repositories, as well as to remove existing packages when vulnerabilities are identified in them.
Stage of assembling software products¶
To build software products, developers use automation tools such as Gitlab CI/CD, Jenkins, Bitbucket Pipelines. The task of such tools is to ensure the assembly of a software product from available artifacts, consisting of its own code and third-party components.
For security purposes before the final assembly of the software the following processes are established:
- Compositional analysis of software Software Composition Analysis for checking third-party components;
- Static application security analysis Static Application Security Testing for verification to check your own code.
SCA systems provide software inventory with Software Bill of Materials, identification of known vulnerabilities and determination of license purity.
The CodeScoring solution provides three modes for identifying third-party components in the analyzed code base:
- Analysis of manifests – lists of dependencies generated by developers manually or automatically;
- Resolution of transitive dependencies – a chain of components introduced into the product by first-level dependencies;
- Identification of direct inclusions of Open Source libraries - situations when a third-party component is physically copied into the organization’s own development and is not included by the developers in the manifests of package managers.
As part of the build phase, the CodeScoring system applies a special CLI agent in the form of a binary file. The agent checks the identified components against the configured security policies for the selected product and, if they do not comply with policies with a block status, returns the appropriate error code, which signals the build to stop.
Stage of development and maintenance of program code¶
CodeScoring supports integration with the main version control systems - Github, Gitlab, Bitbucket and Azure DevOps,
To monitor the safety of source code during the process of writing it, the CodeScoring system implements a mechanism for Continuous Risk Monitoring. The system checks the source code according to a customizable scanning schedule and can signal detected problems to related systems, such as Jira task management system or SOAR/SIEM security incident aggregation and orchestration systems or simply notify the responsible specialist by email.