Arnica Documentation
  • Introduction
  • Getting Started
    • 🔑Sign Up
    • ▶️SCM Integrations
      • Azure DevOps
      • Bitbucket Cloud
      • Bitbucket Server & Datacenter
      • Github
        • GitHub Audit Logs
        • Github App Permissions
      • Gitlab
    • 📤ChatOps
      • Microsoft Teams
      • Slack
        • Adding Arnica to a New Channel
        • Interacting With the Arnica Slackbot
    • 🎫Ticket Management
      • 🐛Jira Integration
      • 📋ADO Boards Integration
    • 🧠Artificial Intelligence
      • Azure OpenAI
      • OpenAI ChatGPT
    • 🏨On Premise Integrations
  • Inventory
    • 💼Identities, Repositories & Organizations
    • 📇Software Bill of Materials (SBOM)
    • 🦄Prioritization & Product Ownership
  • Hardcoded Secrets
    • 🕵️Secret Detection
    • ⏪Realtime Secret Mitigation
    • 🥕Secrets Policy Settings
  • Code Risks
    • 🎼Static Application Security Testing (SAST)
      • Custom SAST Rules
    • 🧩Software Composition Analysis (SCA)
    • 🔡3rd Party Package Licenses
      • Override License Classifications
    • 🤹3rd Party Package Reputation
      • Identifying Low Rep Packages
      • How to Find Alternative Packages
    • ⛅Infrastructure as Code Security
    • 🤖Code Risk Policy Settings
      • Developer Feedback On Push
      • Require Review Before Dismissal
      • 0 New High Severity Vulnerabilities
      • Enforce Remediation SLA
    • 🪄Code Risk Magic Links
    • 📦Code Risk Language and Framework Support
  • Platform Operations
    • 🚪Joining an Existing Org
    • ❌Deleting a Tenant
    • 🫂How do I invite members to my tenant?
      • New User Invitations
    • 👥Users & Roles
    • 🔇Deleting Integrations
    • ⌛Scheduled Jobs
      • How often do Jobs run?
    • 💸Billing
  • Security
    • 🎮Role Based Access Control (RBAC)
    • 🛡️Data Handling
    • 🏛️SSO Integration
      • Okta Integration
      • Entra ID Integration
Powered by GitBook
On this page
  • Summary
  • Supported languages
  • Risk mitigation recommendation
  • Automated risk reduction
  • Internal packages support

Was this helpful?

  1. Code Risks

Software Composition Analysis (SCA)

Summary

Arnica can identify risks in internal and 3rd party packages. Arnica provides a recommendation on the directly embedded packages to minimize the mitigation effort, where possible.

Supported languages

Language
Files

.Net

packages.lock.json, packages.config, .deps.json

C, C++

conan.lock

L

mix.lock

Go

go.mod

Java

pom.xml, gradle.lockfile, build.gradle, build.gradle.kts, libs.versions.toml

JavaScript (including JSX, TSX, TypeScript)

package-lock.json, yarn.lock, pnpm-lock.yaml, npm-shrinkwrap.json

PHP

composer.lock

Python

Pipfile.lock, poetry.lock, requirements.txt

Ruby

Gemfile.lock

Rust

Cargo.lock

Scala

Coming soon: build.sbt

Swift

Podfile.lock

Risk mitigation recommendation

Trenched mitigation

Arnica enables a trenched mitigation approach for developers, so that a subset of the risks will be mitigated with low operational risk. For example, Arnica can provide a recommendation to have a minor version change (according to semantic versioning) that will fix a certain percentage of vulnerabilities, and another recommendation to have a major version change with a higher percentage of vulnerabilities.

Calculated effective mitigation

A fix of a known vulnerability can potentially introduce another vulnerability. Arnica calculates the most effective recommendation based on a weighed count of vulnerabilities remediated vs introduced. For example, if the existing package version is 1.2.3 and all vulnerabilities were resolved in version 1.4.6, and 1.4.6 introduces new vulnerabilities, Arnica will try to find the next optimal mitigation version that introduces the lowest risk, if any.

In some cases, even the latest package version might have vulnerabilities. Arnica will present that a new vulnerability is introduced in this version, so that you can make more educated decision about the mitigation path.

Automated risk reduction

Development dependencies

Development dependencies are not meant to be executed at runtime. Therefore, when Arnica identifies development dependencies, it automatically changes the status to dismissed and reduce the risk severity to info.

Package depth

Packages located too deep in the dependency tree may not pose the same risk as a directly embedded package. Therefore, Arnica observes the depth of the package in the context of the code and automatically reduces the risk where applicable.

Exploit Prediction Scoring System (EPSS) score and trend

Arnica correlates each vulnerability with the EPSS database to identify the probability of exploitation in the wild in the next 30 days. Based on this feed, Arnica determined if certain vulnerability risks can be reduced further.

Internal packages support

If your development organizations leverage shared packages developed in house and they are defined in the source code repositories, Arnica identifies these internal packages and recommends the fix in the shared packages.

PreviousCustom SAST RulesNext3rd Party Package Licenses

Last updated 1 year ago

Was this helpful?

🧩
An example of a recommendation on internal package