๐งฉSoftware Composition Analysis (SCA)
Summary
Arnica can identify risks in internal and 3rd party packages. Arnica provides a recommendation on the directly embedded packages to minimize the mitigation effort, where possible.
Supported languages
Language | Files |
---|---|
.Net | packages.lock.json, packages.config, .deps.json |
C, C++ | conan.lock |
L | mix.lock |
Go | go.mod |
Java | pom.xml, gradle.lockfile, build.gradle, build.gradle.kts, libs.versions.toml |
JavaScript (including JSX, TSX, TypeScript) | package-lock.json, yarn.lock, pnpm-lock.yaml, npm-shrinkwrap.json |
PHP | composer.lock |
Python | Pipfile.lock, poetry.lock, requirements.txt |
Ruby | Gemfile.lock |
Rust | Cargo.lock |
Scala | Coming soon: build.sbt |
Swift | Podfile.lock |
Risk mitigation recommendation
Trenched mitigation
Arnica enables a trenched mitigation approach for developers, so that a subset of the risks will be mitigated with low operational risk. For example, Arnica can provide a recommendation to have a minor version change (according to semantic versioning) that will fix a certain percentage of vulnerabilities, and another recommendation to have a major version change with a higher percentage of vulnerabilities.
Calculated effective mitigation
A fix of a known vulnerability can potentially introduce another vulnerability. Arnica calculates the most effective recommendation based on a weighed count of vulnerabilities remediated vs introduced. For example, if the existing package version is 1.2.3 and all vulnerabilities were resolved in version 1.4.6, and 1.4.6 introduces new vulnerabilities, Arnica will try to find the next optimal mitigation version that introduces the lowest risk, if any.
In some cases, even the latest package version might have vulnerabilities. Arnica will present that a new vulnerability is introduced in this version, so that you can make more educated decision about the mitigation path.
Automated risk reduction
Development dependencies
Development dependencies are not meant to be executed at runtime. Therefore, when Arnica identifies development dependencies, it automatically changes the status to dismissed
and reduce the risk severity to info
.
Package depth
Packages located too deep in the dependency tree may not pose the same risk as a directly embedded package. Therefore, Arnica observes the depth of the package in the context of the code and automatically reduces the risk where applicable.
Exploit Prediction Scoring System (EPSS) score and trend
Arnica correlates each vulnerability with the EPSS database to identify the probability of exploitation in the wild in the next 30 days. Based on this feed, Arnica determined if certain vulnerability risks can be reduced further.
Internal packages support
If your development organizations leverage shared packages developed in house and they are defined in the source code repositories, Arnica identifies these internal packages and recommends the fix in the shared packages.
Last updated