This post shows how each provider measures up and helps you select the correct Software Composition Analysis for your needs.
Fact: Software Composition Analysis (SCA) protects the software supply chain. In a report by Forrester[1] and Gartner[2], they explore how industry providers measure up, which will assist you in selecting the right one for your needs. It’s a valuable assessment of top suppliers in today’s market. Details below are an extract of this report with additional information which applies to our environment.
Developers face the test of rapidly making separated, modified, and convincing client encounters. Accordingly, they never again compose their code to handle each issue. They gather, design, and computerise their code and regularly depend on typical open source and business parts to rapidly add application usefulness. Open-source use has detonated, with the expected level of open-source in reviewed codebases [3]expanding from 36% in 2015[4] to 75% in 2020[5]. Tragically, as firms progressively depend on outside parts, they uncover themselves and their clients to more severe danger when they incorporate fundamental weaknesses or don’t adjust to organisational strategies. Moreover, late episodes like the SolarWinds break exhibit the risks of nasty libraries in programming and the requirement for more prominent straightforwardness in the product store network.
As a result of these trends, you should look for providers that:
[1] https://reprints2.forrester.com/#/assets/2/425/RES176091/report
[2] https://www.gartner.com/doc/reprints?id=1-26OO2IJ6&ct=210630&st=sb
[3] Forrester Software Composition Analysis report
[5] https://www.synopsys.com/software-integrity/resources/analyst-reports/open-source-security-risk-analysis.html
● Address changes in a broad scope of non-proprietary parts. It does not just concern conventional open-source code. The items might incorporate both open source and outsider or shut source libraries – in the scope of programming dialects and systems. We might approach the source code, or we might be depending on parallel relics. More than source code, dev groups influence compartments, Kubernetes, serverless capacities, and framework as-code (IaC) layouts to build their applications. Search for SCA devices that can filter every one of the non-proprietary parts in our application and give a brought-together perspective on dangers and remediations.
● Encourage designers on how to remediate weaknesses, permit chances, and old code. Auto remediation elements can further develop proficiency, yet designers have been delayed in acknowledging them in light of fears that a contradictory fix could break the form. SCA arrangements should simplify remediation and be safe; look for sellers that expand suggested fixes with an appraisal of the fix’s danger so designers know what to computerise and what to examine further. Moreover, think about past weaknesses and authorising fixes and ask your seller how they can assist you with staying up with the latest or be cautioned of ineffectively keeping up with parts that could become a burden.
● Investigate and reinforce the product store network. By distinguishing high-hazard parts, SCA has consistently assumed a role in ensuring the product store network; however, top SCA sellers have increased their game. Presently, banner reliance disarrays dangers or eliminates malignant parts from vaults. The recent US Cybersecurity Executive Order[1] will uphold more prominent straightforwardness by requiring those offering to the public authority to produce and share a product bill of materials (SBOM). A couple of SCA suppliers create SBOMs in SPDX or CycloneDx organisations, and others intend to follow accordingly.
This assessment features Leaders, Strong Performers, Contenders, and Challengers. It’s an appraisal of the top sellers on the lookout and doesn’t address the whole scene.
Vendors
We have included 10 vendors in this assessment: Checkmarx, FOSSA, GitLab, JFrog, Revenera, Snyk, Sonatype, Synopsys, Veracode, and WhiteSource
We will be looking at the three leading solutions, based on their results, being the market leaders and strong offerings, these include:
- Synopsys
- Sonatype
- WhiteSource
- Snyk
Synopsys[1]
Synopsys comes as the strongest of all the Software Composition Analysis tools, based on an evaluation of Black Duck, Synopsys software composition analysis (SCA) solution.
Among the 10 SCA providers evaluated, Synopsys received:
- The highest score in the Strategy category
- The second highest score in the Market Presence category
- Among the highest scores in the Vulnerability Identification criterion
- The highest possible score in the Revenue criterion
- The highest possible score in the Product Vision criterion
- The highest possible score in the Market Approach criterion
- The highest possible score in the Corporate Culture criterion
This was to be the strongest contender; however, the offering does not support an Air Gapped solution therefore to have two different SCA in the official and secret environment would not be practical, so this has been rejected on this basis.
Sonatype[2]
Sonatype’s Nexus platform was recognised as a leader with the highest score in the market presence category amongst all companies evaluated.
The report notes:
“Policy is an area of strength for Sonatype, with out-of-the-box policies that align to a range of standards (particularly in the IaC pack) and a policy engine that allows users to create and assign policies to certain types of applications.”
Core to whom Sonatype is giving organisations control of their code and the code that makes it into production applications. Across the Nexus platform, you can create custom security, licence, and architectural policies based on application type or organisation and contextually enforce those policies across every stage of the software development life cycle.
Their policy management is only as good as their data. Precision matters. They pride themselves on having the most expansive, most in-depth, and most actionable database of open-source components and vulnerabilities. They examine fingerprints–not just file names and package manifests–to precisely identify risk with Advanced Binary Fingerprints (ABF). It’s this precision that lets them promise low false positives and negatives.
The finding and details
Data from Gartner[3]
Data flow for updating a disconnected environment
Sonatype provides tooling to aid with obtaining and applying data updates in Disconnected Environments.
The flow of data is as follows.
| Customer will run a Sonatype provided tool on a customer provided server 2 that is connected to the Internet (i.e. outside the Disconnected Environment). This tool will download the requested update files from a secured AWS S3 Bucket 1 over HTTPS using credentials provided to the Customer by Sonatype. The Customer will transfer the downloaded data via a means of their choosing from their server 2 to a Customer Staging Server 3 inside the Disconnected Environment. The Customer will run tools provided by Sonatype on the Staging Server 3 to apply the downloaded updates to the offline databases 4. |
WhiteSource[4]
WhiteSource being around since 2002 with its open-source manual scanner makes it a long-time master at SCA.
Over the years, it has matured, the first open-source management solution in 2011, including continuous automated detection in 2014. Scanning for security vulnerability prioritisation in 2017 and now with auto-remediation of security vulnerabilities.
This being a strong contender in the selection process.
| WhiteSource Connected | WhiteSource Air Gapped | |
| Evaluation & Contracting | ||
| Integration and Deployment | 9 | |
| Complexity | 5 | Not Available |
| Data Volume (GB) | ||
| Frequency vulnerable data | real time | |
| Service and Support | 9 | Not Available |
| Product Capabilities | 8 | Not Available |
| Execution location | Not Available | |
| Information type outbound | ||
| Information type inbound | ||
| Communication inbound (Source) | ||
| Communication outbound (Destination) |
Data from Gartner[5]
This was the market leader; however, the offering does not support an Air Gapped solution therefore to have two different SCA in the official and secret environment would not be practical, so this has been rejected on this basis.
Synk[6]
Snyk tests for vulnerabilities in your own code, open source dependencies, container images and infrastructure as code configurations, and offers context, prioritisation, and remediation.
Fully support for Open Shift, giving it a good solution for our needs.
The offering from Synk does not support an Air Gapped solution therefore to have two different SCA in the official and secret environment would not be practical, so this has been rejected on this basis.
| Snyk Connected | Snyk Air Gapped | |
| Evaluation & Contracting | 8 | N/A |
| Integration and Deployment | 10 | N/A |
| Complexity | N/A | |
| Data Volume (GB) | N/A | |
| Frequency vulnerable data | real time | N/A |
| Service and Support | 6 | N/A |
| Product Capabilities | 8 | N/A |
| Execution location | Remote | N/A |
| Information type outbound | Only Open Source code only[7] | N/A |
| Information type inbound | Report findings | N/A |
| Communication inbound (Source) | unknown | N/A |
| Communication outbound (Destination) | unknown | N/A |
Decision
One of the big deciding factors of the SCA tooling is about working in an Air Gapped environment, and several of the leading options are not able to provide this solution.
The economics of having an air gapped solutions is unviable, also the manpower efforts and each environment would require its own licensing
Therefore, it is recommended to have one Internet connected solution and one Air Gapped solution that all applications pass through the SCA pipeline for qualification checking in whichever environment it will be hosted in.
With all solutions data is sent to the supplier, even though this is a fingerprint of the Open Source detailing which packages have been used for any given solution, it still represents which Open Source packages are being used and could be a point of vulnerability.
In order of valued importance and functionality the bases on this work the following has been decided:
- Sonatype
- Synopsys
- WhiteSource
- Synk
Decision Consequences We feel that the best product has been chosen based on our needs and requirements, along with the industry independent reviews.
[1] https://www.synopsys.com/software-integrity/resources/analyst-reports/forrester-wave-software-composition-analysis.html
[2] https://blog.sonatype.com/forrester-recognition-market-leader-in-software-composition-analysis
[3] https://www.gartner.com/reviews/market/software-composition-analysis-sca/vendor/sonatype/product/nexus-lifecycle
[4] https://www.whitesourcesoftware.com/resources/blog/software-composition-analysis/
[5] https://www.gartner.com/reviews/market/software-composition-analysis-sca/vendor/whitesource/product/whitesource
[6] https://snyk.io/
[7] https://docs.snyk.io/more-info/how-snyk-handles-your-data#common-data-types