Performing Binary Software Composition Analysis (SCA)

Scenarios

According to the 2024 China Software Industry Outlook, China's software market surpassed CNY12 trillion in 2023 and is projected to exceed CNY21 trillion by 2029, reflecting rapid industry expansion. However, the 2023 Software Supply Chain Status Report reveals a 742% average annual increase in open-source software (OSS) supply chain attacks from 2019 to 2022, highlighting critical security challenges:

• No standardized methods exist for assessing purchased or delivered software.
• Vendors often lack basic security certifications.
• Open-source patching remains inefficient, leaving risks unmitigated.

CodeArts Governance provides end-to-end risk assessment for software adoption through APIs and web interfaces. The service delivers:

• Comprehensive risk detection: CodeArts Governance analyzes software and firmware packages to identify software vulnerabilities against security rules. It also evaluates license compliance, password strength (including weak or hard-coded passwords), security configurations, and secure complier options.
• Cross-platform coverage that supports Windows/Linux applications, mobile binaries (APK/IPA/HAP), and embedded firmware.
• Professional analysis that transforms scan results into prioritized findings with actionable remediation guidance for development teams.

Architecture

The following figure shows an example of how CodeArts Governance works. A user applies for open-source software (same process as third-party software) and provides the artifact package to CodeArts Governance. The service then checks for known vulnerabilities, secure compiler options, information leakage, and security configurations, and provides a risk assessment report. The user fixes the detected vulnerabilities before using the software.

Advantages

• Quick detection

  You only need to upload the product release package or firmware, without the need to build the running environment or run programs.

• High compatibility

  Artifacts built using different languages or architectures can all be scanned.

• Sensitive data safeguard

  Potential risks in security configurations, passwords, and secret keys can all be identified.

Procedure

1. Log in to the CodeArts Governance console.
2. In the navigation pane on the left, choose SCA > Binary SCA.
3. Click Create Job. In the displayed dialog box, click Scan File.
4. Upload a software package.

   Table 1 Parameters

   Parameter	Description
   Scan File	The software package and firmware to be scanned. The following rules apply to the file: The file size cannot exceed 5 GB (300 MB for free trial jobs). The file name can contain only letters, digits, spaces, underscores (_), hyphens (-), and periods (.). The file name can contain a maximum of 100 characters.
   Job	Auto-filled based on your upload.
   Check Item	Items to be checked. CAUTION: Selecting one or multiple check items counts as one scan.
   Description	Describe the job within 200 characters.
   Upgrade this scan to Professional.	This is shown when your free package has remaining scanning quota and yearly/monthly billing is not used. Disabled: The Free edition will be used for this scan job. Enabled: The Professional edition will be used for this scan job. After the upgrade, you can check complete scan results, export the report, and upload a file up to 5 GB. For frequent scans, yearly/monthly packages are recommended.

5. After the file is uploaded, click OK to start scanning.
6. Click a job name to check its report. Alternatively, click View Report in the Operation column of the job. Table 2 lists items on the details page.

   Table 2 Items on the details page

   Item	Description
   Job Info	Basic Info: The file name, file size, feature library version, and platform version are shown. Here presents the results of all scan items in a general way. Component Analysis: the total number of components in the software package and the proportions of components with vulnerabilities, unknown versions, and no vulnerabilities Vulnerability Severity: the total number of vulnerabilities and the proportions of critical, high-risk, medium-risk, and low-risk vulnerabilities Security Configurations: the total number of check items and the proportions of passed, failed, and not-involved check items Open-Source Licenses: the statistics of licenses with high, medium, and low risks Key and Info Leakage: the total number of data leaks and their distribution Security Compilation Options: the total number of unsafe complier options and their distribution
   Open-Source Software Vulnerabilities	The name, version, license, number of files, and number of vulnerabilities of each component in the scan job You can filter the list by alphabetical order, component version, or the number of files. You can filter the component list by component name or open-source license.
   Open-Source Software Licenses	The license risks of different severity, including the integration and compatibility risks. Licenses: The license check result of binary file packages. The license name, integration risk, components involved, license description, and risk analysis are displayed. Compatibility: The check result of license compatibility risks in each directory of the binary file package.
   Key and Info Leakage	The check results of the Git addresses, IPs, hard-coded passwords, weak passwords, hard-coded keys, and SVN addresses.
   Secure Complier Options	The description and result of BIND_NOW, NX, PIC check items, and number of files that do not meet the requirements.
   Security Configurations	The check items, issue severity, and results related to credential management, authentication questions, and session management.