Introduction

While evaluating the security posture of an asset, it is important to identify all software packages present on the asset.

Qualys supports Software Composition Analysis (SwCA) scanning of assets. An SwCA scan discovers installed open-source software, libraries, and associated vulnerabilities on your asset. The SwCA scan identifies programming language-based software packages on the asset.For supported of list of supported languages, see Supported Languages section.

With SwCA, you can detect, manage, and proactively address the potential risk of software supply chain vulnerabilities in the production environment.

You can schedule a SwCA scan or launch an on-demand scan. In the SwCA scan profile, you can define the scan scope, scan interval, and scan timeout.

The SwCA scan results are displayed in CyberSecurity Asset Management (CSAM). For details, see SwCA Scan Data in CyberSecurity Asset Management.

You can download the Software Bill of Materials (SBOM) from the Cloud Agent user interface and view the Software to Component Mapping in the CSAM user interface.

SwCA is supported only for Windows and Linux Platforms and can be activated only when the Vulnerability Management is activated for the agent.

 This feature will be available only when the Windows and Linux agent binaries with SwCA scan support are available. For supported agent versions, refer to the Features by Agent Version section in the Cloud Agent Platform Availability Matrix.