Help Center/ CodeArts Governance/ Best Practices/ Performing Binary Software Composition Analysis (SCA)
Updated on 2025-06-05 GMT+08:00
View PDF
Share

Performing Binary Software Composition Analysis (SCA)

Scenario

According to the 2024 China Software Industry Outlook, the software market in China exceeded CNY12 trillion in 2023. The software industry in China is developing rapidly. It is estimated that the overall market scale will exceed CNY21 trillion by 2029. According to the 2023 Software Supply Chain Status Report, from 2019 to 2022, the average YoY increase in open source software (OSS) supply chain attacks is 742%. Assessing open-source and third-party software faces the following challenges:

  • There are no effective security detection methods for purchased or delivered software.
  • Suppliers need to have basic security certifications.
  • Open-source vulnerability response and fixing are inefficient. Security risks are not well managed.

With CodeArts Governance, you can efficiently assess risks using APIs or on the web pages before you introduce software. The following features are provided.

  • Comprehensive risk detection: CodeArts Governance analyzes software and firmware packages to identify software vulnerabilities against security rules. It also evaluates license compliance, password strength (including weak or hard-coded passwords), security configurations, and secure complier options.
  • Various applications supported: CodeArts Governance can scan desktop applications that run on Windows and Linux, mobile applications that run on Android Application Package (APK), iOS App Store Package (IPA), and HarmonyOS Ability Package (HAP), as well as embedded system firmware.
  • Professional analysis and guidance: Risk information is presented based on thorough analysis from different perspectives, along with relevant troubleshooting suggestions.

Solution Architecture

The following figure shows an example of how CodeArts Governance works. A user applies for open-source software (same process as third-party software) and provides the artifact package to CodeArts Governance. The service then checks for known vulnerabilities, secure compiler options, information leakage, and security configurations, and provides a risk assessment report. The user fixes the detected vulnerabilities before using the software.

Advantages

  • Source code-free and harmless detection

    You only need to upload the product release package or firmware, without the need to build the running environment or run programs.

  • Supporting multiple languages, file formats, and architectures

    Artifacts built using different languages or architectures can all be scanned.

  • Prevention of sensitive data breach

    Potential risks in security configurations, passwords, and secret keys can all be identified.

Constraints

Table 1 Restrictions of the binary component analysis function

Category

Item

Description

Job management

Language

C, C++, Java, Go, JavaScript, Python, Rust, Swift, C#, and PHP

Package format

Files in .7z, .arj, .cpio, .phar, .rar, .tar, .xar, .zip, .jar, .apk, .war, .rpm, and .deb formats and firmware such as Android OTA Images, Android sparse, Intel HEX, RockChip, and U-Boot can be uploaded.

Package size
  • Professional edition: 5 GB
  • Free edition: 300 MB

Procedure

  1. Log in to the CodeArts Governance console.
  2. In the navigation pane on the left, choose SCA > Binary SCA.
  3. Click Create Job. In the displayed dialog box, click Scan File, select the software package to be scanned, and import it.

    Table 2 Parameters

    Parameter

    Description

    Scan File

    The software package and firmware to be scanned

    Job

    Name of the file to be scanned

    Description

    Description of the job

    Upgrade this scan to Professional.

    This is shown when your free package has remaining scanning quota and yearly/monthly billing is not used.

    • Disabled: The Free edition will be used for this scan job.
    • Enabled: The Professional edition will be used for this scan job. After the upgrade, you can check complete scan results, export the report, and upload a file up to 5 GB. For frequent scans, yearly/monthly packages are recommended.

  4. After the file is uploaded, click OK to start scanning.
  5. Click a job name to check its report. Alternatively, click View Report in the Operation column of the job. Table 3 lists items on the details page.

    Table 3 Items on the details page

    Item

    Description

    Job Info
    • Basic Info: The file name, file size, feature library version, and platform version are shown.
    • Here presents the results of all scan items in a general way.
      • Component Analysis: the total number of components in the software package and the proportions of components with vulnerabilities, unknown versions, and no vulnerabilities
      • Vulnerability Severity: the total number of vulnerabilities and the proportions of critical, high-risk, medium-risk, and low-risk vulnerabilities
      • Security Configurations: the total number of check items and the proportions of passed, failed, and not-involved check items
      • Open-Source Software Licenses: the statistics of licenses with high, medium, and low risks
      • Key and Info Leakage: the total number of data leakage issues and their distribution
      • Secure Complier Options: the total number of secure complier option issues and their distribution

    Open-Source Software Vulnerabilities

    The name, version, license, number of files, and number of vulnerabilities of each component in the scanning job

    • You can filter the list by alphabetical order, component version, or the number of files.
    • You can filter the component list by component name or open-source license.

    Open-Source Software Licenses

    The license risks of different severity, including the integration and compatibility risks.

    • Licenses: The license check result of binary file packages. The license name, integration risk, components involved, license description, and risk analysis are displayed.
    • Compatibility: The check result of license compatibility risks in each directory of the binary file package.

    Key and Info Leakage

    The check results of the Git addresses, IPs, hard-coded passwords, weak passwords, hard-coded keys, and SVN addresses.

    Secure Complier Options

    The description and result of BIND_NOW, NX, PIC check items, and number of files that do not meet the requirements.

    Security Configurations

    The check items, issue severity, and results related to credential management, authentication questions, and session management.
    • On the Open Source Software Vulnerabilities tab, check the vulnerabilities of each component.

      You can click a component name to check vulnerability details.

      • Click next to object patch to copy it.
        Figure 1 Copying an object path
      • Click the CVE vulnerability name to check its details, description, fixing solution, reference, and reference links.
    • On the Key and Info Leakage tab, check the result of each check item.
    • On the Secure Compiler Options tab, check the result of each check item.