Skip to main content

About Software Composition Analysis

The software composition analysis module is designed to scan for vulnerabilities, supply chain, and license risks in open-source libraries used within an application.

DerScanner offers the following capabilities:

  • Identification and security management of open-source components for projects written in: C/C++, C#, Dart, Erlang, GO, Java, JavaScript, Kotlin, Objective-C, PHP, Python, Ruby, Rust, Scala, Swift, TypeScript, VB.NET
  • An interactive dependency tree visualization
  • Continuous health assessment of open-source packages using 8 supply chain analysis metrics
  • Identification of licensing risks associated with using open-source components in your projects
  • Hybrid SAST + SCA analysis to track execution of library functions in the application code (reachability analysis)

DerScanner employs the following datasets to identify vulnerabilities in open source:

  • NVD
  • GitHub, GitLab
  • OSV
  • DerScanner’s proprietary datasets