About Software Composition Analysis

The software composition analysis module is designed to scan for vulnerabilities, supply chain risks, and license risks in open-source libraries used within an application.

DerScanner offers the following capabilities:

• Identification and security management of open-source components: Includes an interactive dependency tree visualization for projects written in: C/C++, C#, Dart, Erlang, GO, Java, JavaScript, Kotlin, Objective-C, PHP, Python, Ruby, Rust, Scala, Swift, TypeScript, VB.NET.
• Continuous health scoring of open-source packages using 8 supply chain analysis metrics.
• Identification of licensing risks associated with using open-source components in your projects.
• Hybrid SAST + SCA analysis to track execution of library functions in the application code

DerScanner employs the following datasets to identify vulnerabilities in open source:

• NVD
• GitHub, GitLab
• OSV
• DerScanner’s proprietary datasets