Help Center/ CodeArts Governance/ User Guide/ Performing Binary Software Composition Analysis (SCA)/ Downloading a Binary SCA Report
Updated on 2026-01-22 GMT+08:00
View PDF
Share

Downloading a Binary SCA Report

Prerequisites

You have completed operations described in Adding a Binary SCA Job and the job's status is Completed.

Downloading a Scan Report

  1. Log in to the CodeArts Governance console.
  2. In the navigation pane on the left, choose Software Composition Analysis (SCA) > Binary SCA.
  3. Click a job name to check its report. Alternatively, click View Report in the Operation column of the job.
  4. Click Download Report in the upper-right corner and choose one of the following report formats.

    • PDF
    • Excel
    • SBOM (CycloneDX). It can be imported to CodeArts SBOM for analysis.
    • SBOM (SPDX). It can be imported to CodeArts SBOM for analysis.

      Both CycloneDX and SPDX are standardized formats for Software Bill of Materials (SBOMs), designed to help organizations better manage and understand the components in their software supply chain.

      • CycloneDX is simple, lightweight, and easy to understand and implement. It provides essential component information and dependency data, enabling quick integration into existing development workflows.
      • SPDX, by contrast, is more complex and flexible, offering richer metadata fields and extensive extension capabilities. It supports detailed file-level information and is well suited for organizations that require comprehensive, highly detailed SBOMs.

  5. Click Download Report in the upper-right corner and choose a report format.

    The report includes the job and result overview and lists the components, vulnerabilities, keys, information leakage issues, secure compiler option issues, and security configuration issues.

    The generated scan report will expire in 12 hours. To download the scan report after it expires, click Download Report to generate the latest one.

Report Description

You can rectify the vulnerabilities according to the report. Table 1 lists the report items.

Table 1 Report description

Item

Description

Overview

Number of vulnerabilities detected in the software package.

Results
  • Statistics on vulnerability types and distribution.
  • Number of components and their vulnerability distribution.
  • Distribution of open-source licenses.
  • Distribution of key and information leaks.
  • Distribution of secure compiler option issues.
  • Distribution of security configuration issues.

Component List

Information of all components in the software, including the component name, version, release date, open-source license, and file path.

Vulnerability List

Vulnerability details of each component. You can fix vulnerabilities accordingly.

Key and Information Leaks

Details of key and information leaks, including the Git address, IP address, hard-coded password, weak password, hard-coded key, and SVN address.

Secure Compiler Option Issues

Displays details about security compilation option issues, such as BIND_NOW, NX, and PIC.

Security Configuration Check

Displays details about security configurations, such as preset account information, high-risk sudo commands, and group member information.

Malware

Virus and malicious code are displayed.