Skip to main content

Starting a hybrid SAST + SCA scan

For projects written in JavaScript/TypeScript, Python, C#, or Java, you can provide the source code of the project to run a hybrid SAST + SCA analysis. This analysis is necessary to reduce the time spent processing vulnerable dependencies, allowing for the exclusion of unreachable vulnerabilities, thereby reducing their overall number.

The SAST+SCA process starts by searching for known vulnerabilities among the project components (SCA). Then, the static analysis module (SAST) identifies specific vulnerable imports and function calls of third-party components. The result of the analysis constructs a call graph of imports and vulnerable functions of the dependencies used in the project, clearly demonstrating the reachability of each vulnerability. By navigating through the graph elements, you can trace the vulnerability call trace from transitive dependencies to the main code, confirming or disproving the relevance of the vulnerability to the project.

Currently, the hybrid module (SAST + SCA) supports the following languages:

  1. JS/TS, Python: both direct and transitive vulnerable dependencies are analyzed.
  2. Java, C#: only direct vulnerable dependencies are analyzed.

To ensure the module works correctly, the following preparatory steps are required:

  • JS/TS, Python: To determine the reachability of vulnerabilities in direct and transitive dependencies, you must provide the folder containing the third-party dependency code along with the project’s main code. By default, for Python, this is the venv folder, and for JS/TS, it is the node_modules folder. The default folder name can be changed in the settings at the start of the scan.
  • Java: To determine the reachability of vulnerabilities in direct dependencies, the project’s dependencies folder, specifically the .jar files, is also required. This can be achieved using the Maven plugin dependency:copy-dependencies, which copies all project dependencies to the specified directory. By default, for Java, this is the .m2/repository/ folder. The default folder name can be changed in the settings at the start of the scan.
  • C#: To determine the reachability of vulnerabilities in direct dependencies, only the project’s main code needs to be uploaded for analysis.

To initiate a new hybrid SAST + SCA scan:

  1. On the Home page, navigate to the Software Composition Analysis tab.
  2. In the Source Code section, upload the project source code as a file or link to the repository.
  3. In the SBOM File section, upload the project’s SBOM file (optionally).
  4. In the analysis section, enable the Hybrid analysis option.
  5. If needed, specify additional analysis settings.
  6. Click Start Scan.