SCA technology for libraries (Northstar)
Contrast Software Composition Analysis (SCA) identifies open-source libraries through run-time analysis, file system scanning, and dependency analysis. Leveraging these techniques, SCA reports an exact inventory to Contrast.
The security of the libraries that an application uses affects the overall security of your application.
Libraries can be public or private. Public libraries are open-source libraries sourced from Maven (Java), NuGet (.NET), npm (Node.js), RubyGems (Ruby), PyPI (Python), pkg.go (Go), and Composer (PHP). Private libraries are commercial third-party libraries or custom-built libraries.
Contrast agents automatically identify open-source libraries included in an application. Contrast identifies any vulnerabilities found in your libraries and confirms if the library is used at runtime.
To do this, Contrast creates a hash of the library file, which compares the file's content to a database of known library files. If the hash is in the database, Contrast can provide library version information and report on the total vulnerabilities (CVEs) found in the library.
Note
If your library is a custom file, the hash won't be found in the database, and the agent reports the library as "unknown" to the Contrast application. This may also occur if the library has recently been released or if you are using an on-premises airgap installation and have not updated the library definitions recently.
For Java clients, WebSphere repackages libraries at runtime, so their SHA-1 hash is different than anything known to Contrast. To preserve the SHA-1 during deployment, set the JVM system property org.eclipse.jst.j2ee.commonarchivecore.ignore.web.fragment to "true".
Also, any wsadmin calls must have the same parameter:
wsadmin -javaoption "-Dorg.eclipse.jst.j2ee.commonarchivecore.ignore.web.fragment=true"
Features
To simplify the process and merge open-source analysis with custom code analysis, SCA is integrated as part of the Contrast platform. You need an Assess or AVM license to access the library data that the SCA technology provides.
Open-source license management: Contrast SCA provides license data tied to open-source libraries. This data helps you understand intellectual property compliance and mitigate operational risk.
Open-source policy: With SCA, you can set policies to denylist open-source licenses. If a denylisted license type is deployed in your applications, it triggers an alert. To keep your library usage safe, set compliance policies for your organization. To restrict use of specific open-source libraries and licenses, as well as set version requirements, you can set library policies.
Open-source policy: With SCA, you can set policies to denylist open-source licenses. If a denylisted license type is deployed in your applications, it triggers an alert. To keep your library usage safe, set compliance policies for your organization. To restrict use of specific open-source libraries and licenses, as well as set version requirements, you can set library policies.
Identification of CVE vulnerabilities Contrast SCA identifies the CVE vulnerabilities for each library that your applications are using. This data includes a description of each CVE vulnerability for a selected library as well as the number of applications using that library.
This feature is available without an SCA license.
Dependency tree: In the Explorer, the software composition analysis (SCA) on your application shows the dependencies between open source libraries, including where vulnerabilities were introduced.
GitHub action: This integration analyzes a project's dependencies for vulnerabilities. The action runs the Contrast SCA Action to detect vulnerable libraries. See Contrast SCA Action for more information.
Contrast data
Once a library is reported to Contrast, use the Explorer, Issues view, and Observations view to determine:
Which applications are using vulnerable components
Library version identification and guidance on the latest version
Library dependencies