SCA (Software Composition Analysis)
Click to view navigation pane


SCA (Software Composition Analysis)

Qualys supports Software Composition Analysis (SCA) of container images. An SCA discovers installed open-source software and libraries, as well as associated vulnerabilities, present in your container images.

While evaluating the security posture of container images, it is important to identify all software packages present in the image. The SCA scan can be used to identify programming language-based software packages inside the image. In addition, metadata information for each image layer is also provided. The SCA scan detects packages for these programming languages: Java, Python, Go, Node.js, .NET, PHP, Ruby, and Rust.

SCA is available for all sensor types (General, Registry, and CI/CD), and is supported for Docker, containerd, and CRI-O runtimes. Also, SCA scanning is only supported when scanning container images. SCA scanning is not supported for Mac OS.

Prerequisites

How it Works

SCA is not performed by default. You must enable SCA using the parameter --perform-sca-scan when deploying your sensors. When enabled, an SCA is performed after a standard vulnerability scan (Static or Dynamic) on your container images.

When the SCA scan is completed, the sensor uploads the metadata information collected by the scan to the Qualys backend where posture evaluation is performed. You can view SCA data findings in the Container Security UI and API as part of image details.

Vulnerability detection found by the SCA are presented as QIDs. Filters are provided so you can identify the type of scan (SCA, Dynamic or Static) used to detect a particular vulnerability.

During an SCA scan, the following files are scanned for the language-specific software packages:

Language Files

Python

egg package

wheel package

Node.js

package.json

.NET

packages.lock.json

packages.config

*.deps.json

Java

JAR/WAR/PAR/EAR

Go

Binaries built by Go

PHP

Composer.lock

Ruby

gemspec

Rust

Cargo.lock and Binaries built with cargo-auditable

Search for SCA Scanned Images

To search images, go to Assets > Images. Use the scanType: token to find images based on the type of scan (Dynamic, Static, or SCA) that was performed to scan the image.

Search Images by Scan Type

View Image Details

Go to Assets > Images and select View Details for any image listed.

The Summary tabThe Summary tab

It shows general information about the image. The Scan Types field shows the types of scans run on the image, including SCA.

Summary tab

The Installed Software tabThe Installed Software tab

The Installed Software tab lists software detected by scans. Use the Packages filter to easily switch the list view. Choose All to see all software packages, choose OS to see only Operating System based packages, or choose Non-OS to see SCA related packages.

Installed Software tab

You can search installed software detected by SCA scans using the search query scanType: SCA.

The Vulnerabilities tabThe Vulnerabilities tab

The Vulnerabilities tab shows vulnerabilities detected by all scans, including SCA scans. The SCAN TYPE column identifies the type of scan used for each detection.

Vulnerabilities

You can search vulnerabilities detected by SCA scans using scanType: SCA.

Note about Vulnerability Counts

You may notice a difference in the number of vulnerabilities reported for an image that has been scanned by SCA and the number of vulnerabilities for the containers launched from the image. This is because the SCA scan is only run on the image, not on containers, and the SCA detects package-based vulnerabilities. In other words, the image scan reports all vulnerabilities, including OS-based vulnerabilities and non-OS or SCA package related vulnerabilities whereas the container scan reports only the OS-based vulnerabilities.  

For example, you scan an image using a sensor launched with the --perform-sca-scan flag enabled and get 25 vulnerabilities reported. You launch a container on this image and it reports 22 vulnerabilities. Three vulnerabilities were excluded, because they were package based.