Open source risks identification at all stages of software development cycle

NVD CVE

OSV

GHSA

We collect data from multiple data feeds, including NVD CVE, GHSA, OSV, and more than a dozen of ecosystem feeds. Our process includes de-duplicating records and identifying errors in publicly available data. Private feeds from market experts are available as well. Information is supplemented with data on secure package versions, links to patches and public exploits.

Identification and correction of vulnerabilities

CodeScoring.SCA
key features

Generate SBOMs and dependency graphs, with integrated checks in the CI pipeline, enforcing security and license compatibility policies. We perform thorough checks at the source code level, as well as on build artifacts and container images. Policies can be customized for each stage of the build process.

Working with Open Source
licenses

CodeScoring's regularly updated license database contains information on 2000+ Open Source licenses. The solution is accompanied by a vendor-specific license compatibility policy, and you can configure your own policies to prevent or block components with licenses containing export restrictions or overly restrictive terms of use.

Identification of components and building a Bill of Materials

The universal CodeScoring agent can be ran on the developer's local machine or in the pipeline at the required build stage. The system provides manifest analysis, transitive dependency resolution and identification of Open Source inclusions in the product code. As a result, a Software Bill of Materials (SBoM) is built, enriched with information about vulnerabilities and licenses.

Convenience of the software audit

The system builds a visualization of detected connections between components in the form of a convenient interactive graph, which will help you quickly identify the location of a problem in the codebase of the product. You can also scan code repositories for quick audit of components. The result is immediately visible.

Flexible security policies

When setting up a policy system, you can configure it not only based on the severity of a vulnerability but also by specific components of the CVSS vector or CWE. Additionally, you can track packages using a blacklist, age, author, or other criteria.

Solution at every stage

You can detect a problem at the stage of scanning a directory with code, checking a collected artifact or a container image. You can configure a separate policy for each stage to react to risks as early as possible. When a policy is triggered, you can send a notification to the mail, create a task in the task management system or send a notification to the SOAR/ASOC system. It is possible to configure recursive SBoM inspection as well.

Convenient UI

CodeScoring provides a comfortable experience and clear interface to solve your problems

Working with dependencies

We have implemented a handy interactive relationship graph where you can immediately understand the relationships between components and get detailed information on problematic dependencies.