๐ŸงฉSoftware Composition Analysis (SCA)

Summary

Arnica can identify risks in internal and 3rd party packages. Arnica provides a recommendation on the directly embedded packages to minimize the mitigation effort, where possible.

Supported languages

Language
Files

.Net

packages.lock.json, packages.config, .deps.json

C, C++

conan.lock

L

mix.lock

Go

go.mod

Java

pom.xml, gradle.lockfile, build.gradle, build.gradle.kts, libs.versions.toml

JavaScript (including JSX, TSX, TypeScript)

package-lock.json, yarn.lock, pnpm-lock.yaml, npm-shrinkwrap.json

PHP

composer.lock

Python

Pipfile.lock, poetry.lock, requirements.txt

Ruby

Gemfile.lock

Rust

Cargo.lock

Scala

Coming soon: build.sbt

Swift

Podfile.lock

Risk mitigation recommendation

Trenched mitigation

Arnica enables a trenched mitigation approach for developers, so that a subset of the risks will be mitigated with low operational risk. For example, Arnica can provide a recommendation to have a minor version change (according to semantic versioning) that will fix a certain percentage of vulnerabilities, and another recommendation to have a major version change with a higher percentage of vulnerabilities.

Calculated effective mitigation

A fix of a known vulnerability can potentially introduce another vulnerability. Arnica calculates the most effective recommendation based on a weighed count of vulnerabilities remediated vs introduced. For example, if the existing package version is 1.2.3 and all vulnerabilities were resolved in version 1.4.6, and 1.4.6 introduces new vulnerabilities, Arnica will try to find the next optimal mitigation version that introduces the lowest risk, if any.

In some cases, even the latest package version might have vulnerabilities. Arnica will present that a new vulnerability is introduced in this version, so that you can make more educated decision about the mitigation path.

Automated risk reduction

Development dependencies

Development dependencies are not meant to be executed at runtime. Therefore, when Arnica identifies development dependencies, it automatically changes the status to dismissed and reduce the risk severity to info.

Package depth

Packages located too deep in the dependency tree may not pose the same risk as a directly embedded package. Therefore, Arnica observes the depth of the package in the context of the code and automatically reduces the risk where applicable.

Exploit Prediction Scoring System (EPSS) score and trend

Arnica correlates each vulnerability with the EPSS database to identify the probability of exploitation in the wild in the next 30 days. Based on this feed, Arnica determined if certain vulnerability risks can be reduced further.

Internal packages support

If your development organizations leverage shared packages developed in house and they are defined in the source code repositories, Arnica identifies these internal packages and recommends the fix in the shared packages.

Last updated