Performing Binary Software Composition Analysis (SCA)

Prerequisites

• You have registered a HUAWEI ID and enabled Huawei Cloud services.
• You have enabled CodeArts Governance.
• Software packages and firmware to be scanned are ready.

Creating a Scan Job

1. Log in to the CodeArts Governance console.
2. In the navigation pane on the left, choose SCA > Binary SCA.
3. Click Create Job. In the displayed dialog box, click Scan File. Upload a local software package or firmware.

   Table 1 Parameters

   Parameter	Description
   Scan File	The software package and firmware to be scanned. The following rules apply to the file: The file size cannot exceed 5 GB (300 MB for free trial jobs). The file name can contain only letters, digits, spaces, underscores (_), hyphens (-), and periods (.). The file name can contain a maximum of 100 characters.
   Job	Auto-filled based on your upload.
   Check Item	Items to be checked. CAUTION: Selecting one or multiple check items counts as one scan.
   Description	Describe the job within 200 characters.
   Upgrade this scan to Professional.	This is shown when your free package has remaining scanning quota and yearly/monthly billing is not used. Disabled: The Free edition will be used for this scan job. Enabled: The Professional edition will be used for this scan job. After the upgrade, you can check complete scan results, export the report, and upload a file up to 5 GB. For frequent scans, yearly/monthly packages are recommended.

4. Click OK and wait for the job to complete. Note that the scan duration is subject to the package size and code size. The job's status will change to Completed.
   

   If the job is Failed, refer to What Can I Do If a Binary SCA Task Fails?

Checking a Scan Report

1. Click the name of a Completed job to check its report. Alternatively, click View Report in the Operation column of the job. This page shows the Basic Info, Open-Source Software Vulnerabilities, Open-Source License, Key and Info Leakage, Secure Compiler Options, and Security Configurations.
2. Click Download Report in the upper-right corner to generate a report, for example, a PDF report.
3. Click Download Report in the upper right corner to download a report, for example, a PDF report.

   The report includes the job and result overview and lists the components, vulnerabilities, keys, information leaks, unsafe compiler options, and security configuration issues.