Following are the best practices that can be followed to get more focused insights for third party component analysis by refining the code scan scope.
SCA code analysis focuses on analyzing vulnerabilities, License and Obsolescence risks of the app/product, considering the developed and deployed software, by making sure third-party components (e.g. Open Source, COTS) are part of the assessment.
The Scan Steps are
- Scan the source code
- Scan the deployed/build output
- Upload both scan results
- Submit the application results
-
Source Code Scan should include Source code and Dependency files (e.g. pom.xml, package.json, .vcsproj, etc.)
- Source Code Scan should exclude Test, Generated code , Samples from third-party libraries, Deployment, SCM folders and files (e.g. .git, .snv, gradlew, .vscode, etc.)
- For Source Code Scan CAST Highlight files to uploaded are : {ScanName}.{Technology}_{timestamp}.csv framework.validated.csv
- For Deployed/Build Scan it is Recommended to have(e.g. content of a WAR, installed folder in Windows, JARs, DLLs, etc.)
- For Deployed/Build Scan CAST Highlight files to upload: BinaryLibraries.csv {ScanName}.{Technology}_{timestamp}.ThirdParties.csv
Comments