SCA (Software Composition Analysis)
Qualys supports Software Composition Analysis (SCA) of container images. An SCA discovers installed open-source software and libraries, as well as associated vulnerabilities, present in your container images.
While evaluating the security posture of container images, it is important to identify all software packages present in the image. The SCA scan can be used to identify programming language-based software packages inside the image. In addition, metadata information for each image layer is also provided. The SCA scan detects packages for these programming languages: Java, Python, Go, Node.js, .NET, PHP, Ruby, and Rust.
SCA is available for all sensor types (General, Registry, and CI/CD), and is supported for Docker, containerd, and CRI-O runtimes. Also, SCA scanning is only supported when scanning container images. SCA scanning is not supported for Mac OS.
Prerequisites
- Update your sensors to sensor version 1.24 or later.
- Relaunch your sensors with the parameter --perform-sca-scan to perform SCA scanning.
How it Works
SCA is not performed by default. You must enable SCA using the parameter --perform-sca-scan when deploying your sensors. When enabled, an SCA is performed after a standard vulnerability scan (Static or Dynamic) on your container images.
When the SCA scan is completed, the sensor uploads the metadata information collected by the scan to the Qualys backend where posture evaluation is performed. You can view SCA data findings in the Container Security UI and API as part of image details.
Vulnerability detection found by the SCA are presented as QIDs. Filters are provided so you can identify the type of scan (SCA, Dynamic or Static) used to detect a particular vulnerability.
During an SCA scan, the following files are scanned for the language-specific software packages:
|
Language Files |
|
|---|---|
|
Python |
egg package wheel package |
|
Node.js |
package.json |
|
.NET |
packages.lock.json packages.config *.deps.json |
|
Java |
JAR/WAR/PAR/EAR |
|
Go |
Binaries built by Go |
|
PHP |
Composer.lock |
|
Ruby |
gemspec |
|
Rust |
Cargo.lock and Binaries built with cargo-auditable |
Search for SCA Scanned Images
To search images, go to Assets > Images. Use the scanType: token to find images based on the type of scan (Dynamic, Static, or SCA) that was performed to scan the image.
View Image Details
Go to Assets > Images and select View Details for any image listed.
The Summary tabThe Summary tab
It shows general information about the image. The Scan Types field shows the types of scans run on the image, including SCA.
The Installed Software tabThe Installed Software tab
The Installed Software tab lists software detected by scans. Use the Packages filter to easily switch the list view. Choose All to see all software packages, choose OS to see only Operating System based packages, or choose Non-OS to see SCA related packages.
You can search installed software detected by SCA scans using the search query scanType: SCA.
The Vulnerabilities tabThe Vulnerabilities tab
The Vulnerabilities tab shows vulnerabilities detected by all scans, including SCA scans. The SCAN TYPE column identifies the type of scan used for each detection.
You can search vulnerabilities detected by SCA scans using scanType: SCA.
Note about Vulnerability Counts
You may notice a difference in the number of vulnerabilities reported for an image that has been scanned by SCA and the number of vulnerabilities for the containers launched from the image. This is because the SCA scan is only run on the image, not on containers, and the SCA detects package-based vulnerabilities. In other words, the image scan reports all vulnerabilities, including OS-based vulnerabilities and non-OS or SCA package related vulnerabilities whereas the container scan reports only the OS-based vulnerabilities.
For example, you scan an image using a sensor launched with the --perform-sca-scan flag enabled and get 25 vulnerabilities reported. You launch a container on this image and it reports 22 vulnerabilities. Three vulnerabilities were excluded, because they were package based.