Qualys Software Composition Analysis
Qualys Software Composition Analysis (SwCA) provides real‑time visibility into deeply embedded open‑source packages and commercial software components (e.g., Log4j, OpenSSL) discovered via the Qualys Cloud Agent on Windows and Linux assets. You can run SwCA on a schedule or on demand to collect software‑component data into the Qualys Enterprise TruRisk™ Platform. SwCA currently detects components for ecosystems such as Ruby, Node.js, Go, Rust, PHP, Python, and Java (SE), and it’s activated at the Cloud Agent host once Vulnerability Management is enabled.
The SwCA bineries facilitate the software component scanning. When SwCA is activated for Cloud Agent, it downloads the latest available binary and use it for scanning open-source packages and commercial software components. To learn more about managing SwCA bineries, refer to Managing SwCA Binary.
Key Features
Qualys SwCA offers the following key features to protect your assets:
- Deep component discovery on endpoints: Identifies deeply embedded open‑source and commercial components (e.g., Log4j, OpenSSL) present on agent hosts, giving you granular software composition data.
- Agent‑based, real‑time visibility: Uses the Qualys Cloud Agent to continuously bring software‑component telemetry into the Qualys platform, enabling up‑to‑date risk insight.
- Flexible scanning (scheduled or on‑demand): You can schedule SwCA scans or launch them on demand to refresh component inventories as needed.
- Coverage for major ecosystems: Supports detection for Ruby, Node.js, Go, Rust, PHP, Python, and Java (SE) technologies, helping you find libraries across common stacks.
- Windows & Linux support: SwCA is supported for Windows and Linux platforms and requires the Vulnerability Management (VM) application to be activated for the agent before enabling SwCA.
- Asset‑centric results in UI: In VM user interface, view findings per host under Asset Details > Security > Software Composition, where detailed SwCA information is surfaced.
Benefits
Qualys SwCA provides with the following benefits to ensure continuous security:
- Faster exposure identification: Quickly spot risky components (like Log4j or OpenSSL) across your Windows and Linux fleet with agent‑driven, near‑real‑time visibility, reducing time to detect and prioritize.
- Operational flexibility: Scheduled or on‑demand scans let you align data refresh with maintenance windows or urgent investigations.
- Broader developer stack coverage: Support for multiple ecosystems (Ruby, Node.js, Go, Rust, PHP, Python, Java) helps security and ops teams capture component risk across diverse applications running on endpoints.
- Streamlined triage in one place: Findings roll into the Qualys Enterprise TruRisk™ Platform and the asset details UI, simplifying where teams review, prioritize, and act.
Cloud Agent Support
To know the SwCA-supported Cloud Agent versions, refer to the Feature by Agent Version section in Cloud Agent Platform Availability Matrix.
Additional Resources
Check the following resources to learn more about SwCA: