Help Center/ CodeArts Governance/ User Guide/ Performing Binary Software Composition Analysis (SCA)/ Checking a Binary SCA Report
Updated on 2026-01-22 GMT+08:00
View PDF
Share

Checking a Binary SCA Report

Prerequisites

You have completed operations described in Adding a Binary SCA Job and the job's status is Completed.

Checking a Scan Report

  1. Log in to the CodeArts Governance console.
  2. In the navigation pane on the left, choose Software Composition Analysis (SCA) > Binary SCA.
  3. Check all jobs. Click a job name to check its report. Alternatively, click View Report in the Operation column of the job. Table 1 lists items on the details page.

    Table 1 Items on the details page

    Item

    Description

    Job Info
    • Basic Info: The file name, file size, feature library version, and platform version are shown.
    • Here presents the results of all scan items in a general way.
      • Component Analysis: the total number of components in the software package and the proportions of components with vulnerabilities, unknown versions, and no vulnerabilities
      • Vulnerability Severity: the total number of vulnerabilities and the proportions of critical, high-risk, medium-risk, and low-risk vulnerabilities
      • Security Configurations: the total number of check items and the proportions of passed, failed, and not-involved check items
      • Open-Source Licenses: the statistics of licenses with high, medium, and low risks
      • Key and Info Leakage: the total number of data leakage issues and their distribution
      • Secure Complier Options: the total number of secure complier option issues and their distribution

    Open-Source Software Vulnerabilities

    The name, version, license, number of files, and number of total/confirmed vulnerabilities of each component in the scanning job are displayed.

    • You can filter the list by alphabetical order, component version, or the number of files.
    • You can filter the component list by component name or open-source license.

    Open-Source Licenses

    The license risks of different severity, including the integration and compatibility risks.

    • Licenses: The license check result of binary file packages. The license name, integration risk, components involved, license description, and risk analysis are displayed.
    • Compatibility: The check result of license compatibility risks in each directory of the binary file package.

    Key and Info Leakage

    The check results of the Git addresses, IPs, hard-coded passwords, weak passwords, hard-coded keys, and SVN addresses.

    Secure Complier Options

    The description and result of BIND_NOW, NX, PIC check items, and number of files that do not meet the requirements.

    Security Configurations

    The check items, issue severity, and results related to credential management, authentication questions, and session management.

Analyzing Open-Source Software Vulnerabilities

CodeArts Governance decompresses and scans your software packages and firmware. It performs static analysis based on the software BOM to identify vulnerabilities and license risks. You can click a component name to check vulnerability details.

  • Updating vulnerabilities: Click Sync with Library to update vulnerability information to the latest. The information can be updated only once a day. After that, reports need to be re-generated for download.
  • Checking vulnerability details: Click a CVE vulnerability to check its details, description, fixing solution, reference, and reference links.
  • Reviewing vulnerabilities:

    Click Review in the Operation of a vulnerability to assess it. Set Component Affected and Reason, then click OK. Alternatively, select files in the Files with This Component area, select vulnerabilities, and click Review Selected to review multiple vulnerabilities at once. Click Delete in the Operation column to delete a reviewed vulnerability.

After the scan is complete, you can perform the following operations to handle the vulnerabilities.

  1. Check the Open Source Vulnerability Analysis tab page.

    Locate the files according to the file path displayed on the report details page or in the report. If the detected software does not exist or the software version number is incorrect, no further analysis is required.

    Figure 1 Checking the file object path
  2. Check the Known Vulnerabilities area.

    Search for the CVE number in National Vulnerability Database (NVD), Common Vulnerabilities and Exposures (CVE), and China National Vulnerability Database (CNVD) to check the vulnerability details.

    • General analysis: Confirm the scope of each vulnerability. For example, CVE-2021-3711 is listed in the Known Affected Software Configurations area by NVD, as shown in Figure 2. You can check whether the vulnerability affects the software version that you are using.
      Figure 2 Checking the software version
    • Refined analysis: Since some vulnerabilities exist in functions, you can refer to the patches listed in the communities mentioned above to learn the vulnerability details, affected functions, and fixing methods, as shown in the following figure, and confirm whether the vulnerability affects the software that you are using.
      Figure 3 Checking vulnerability details
  3. Check the license compliance. Identify the risky licenses and confirm whether they can meet your service requirements.
  4. Handle the vulnerabilities according to the following instructions.
    • Known vulnerabilities: Upgrade the software to the version recommended by the communities mentioned above. Alternatively, install patches to fix the vulnerabilities temporarily.
    • Risky licenses: Replace the risky licenses with compliant ones that function the same.

Analyzing Key and Info Leaks

CodeArts Governance decompresses and scans your software packages and firmware to identify information leaks, for example, sensitive IPs, Git/SVN repository risks, weak passwords, and hard-coded keys.

These risks are listed in reports, for example, PDF reports, including items shown in Table 2. You can determine whether they are severe risks and take actions accordingly.

Table 2 Report parameters

Item

Description

File Path

Full path of the file where information leaks are detected in the package

Context

Risky lines and context lines

Content

Contents that are risky

Location

The exact lines and places of the risks

Analyzing Secure Compiler Option Issues

CodeArts Governance checks the C, C++, and Go files to see whether there are secure compiler options to defend against attacks.

Handle the secure compiler option issues according to the following instructions.

  1. Export the Excel report and check the secure compiler option sheet.
  2. Obtain the file source according to the filepath column.
  3. Check the check items and handle the vulnerabilities accordingly.
    • If a check item is passed, its result is in green and it does not require further actions. For files passed Rpath, their results are No or N/A. For other passed check items, their results are YES or N/A.
    • For files failed the check items, obtain their building scripts, and add the secure compiler options accordingly. Note that Ftrapv and FS may affect the files and you can add them based on your needs.
Table 3 Secure complier options

Item

Description

Parameter

BIND_NOW

Immediate binding

-Wl, -z, now

NX

Non-executable stack

-WI, -z, noexecstack

PIC

Position-independent

-fPIC

PIE

Position-independent executable

-fPIE or -pie

RELRO

Global Offset Table (GOT) protection

-WI, -z, relro

SP

Stack protection

-fstack-protector-strong or -fstack-protector-all

NO Rpath/Runpath

Dynamic library search path (forbidden)

Delete --rpath from the script.

FS

Fortify Source (buffer overflow check)

-D_FORTIFY_SOURCE=2

Ftrapv

Integer overflow check

-ftrapv

Strip

Symbol table deletion

-s

Analyzing Security Configuration Issues

CodeArts Governance checks whether the security configuration items are compliant. Specifically, it detects the following issues in the uploaded software packages or firmware.
  • Sensitive information, for example, key files, certificate files, source code files, and debugging tools
  • Problems in the user and group configurations, hard-coded credentials, and authorization and access control. Note that some check items apply to operating systems (OSs) only.

After the scan, you can export a PDF report to analyze security configuration issues.

  • Search for "security configuration overview" to check the result of each check item. The result can be one of the following:
    • Pass
    • Failed
    • N/A: indicates that there is no operating system to be checked.
  • Search for "security configuration list" to check the details. The following information is displayed:
    • Check items, or, the check methods
    • Scan result, which can be Passed, Failed, or N/A.
    • Files that have issues, if any