Focus

Prisma Cloud Application Security Administrator's Guide

Software Composition Analysis (SCA)

Table of Contents

Software Composition Analysis (SCA)

Software Composition Analysis (SCA) empowers you with information on open source software used in source code that has the potential to expose your organization to critical vulnerabilities, license compliance or legal and compliance issues. On Prisma Cloud, you can view the latest contextualized SCA information from continuous scans across all your integration integrations of IDE, VCS repositories and CI/CD pipelines.

Open source software is a prebuilt code available publicly for direct use, modification or enhancement into any code. To use an open source software in your environment often requires you to use an open source package manager, which is a combination of files and metadata that help you describe how the code should be used. Parallelly, to ensure better performance, stability and security,open source package managers are continuously updated to the latest version. Once the open source code definition is set in your code, the scans begin at the Development lifecycle, where every package manager file in your integration is scanned automatically for any security violation or vulnerabilities before deploying it to development pipelines. All scan results are then analyzed using Intelligence Stream, an in house package vulnerability database to give you information on security vulnerabilities found in the open source package manager that are viewable on the Prisma console.

The SCA vulnerabilities scan results include:

Bill of Materials (BOM)

Bill of materials (BOM) or software bill of materials (SBOM) is a contextualized inventory of open source packages and third-party components your source code utilizes. SBOM includes information on versions, licenses and vulnerabilities of the components that comprise your application’s source code, helping you make legal and risk assessments of your application. On the Prisma Cloud console you can view the SBOM reports on Application Security > Development Pipelines
where the reports are specific to runtime resources.

Dependency Graph

Open source software often includes packages with dependencies, thus creating an endless loop of complex interdependencies leading to a black box of security vulnerabilities. A dependency graph analyzes these interdependencies while also identifying direct dependencies between the packages. Information on direct dependency helps you in identifying where there are vulnerabilities outside of the root dependency enabling you to make informed security decisions.

On the Prisma Cloud console, this graph is best visualized on Application Security > Supply Chain
where every sub-dependency has contextualized information available on Resource Explorer.

License compliance

For every available open source software, there are licenses that define how to use, modify and enhance the open source code. The license grants user permissions and rights to repurpose the code into another code. Prisma Cloud scans for compliant licenses using industry standards to identify any restrictive licenses as violations. There are two ways you can identify license vulnerabilities on Prisma Cloud.

Firstly, during code development you can run a Checkov scan and secondly, on the Prisma Cloud console from Application Security > Projects
. On the console using the contextualized information for license issues on Resource Explorer you can make an informed decision to suppress the violation. For more information see Licensing in Software Composition Analysis (SCA).

Remediation

You can automatically remediate SCA open source package vulnerabilities on the Prisma Cloud console by bumping a package version of direct and sub-dependent packages by creating a pull request to your VCS. A package bump suggestion includes the minimum version of the root package that remediates both direct dependency and sub-dependency vulnerabilities.

TThe vulnerabilities identified across the scan results are seen across multiple sections of the Prisma Cloud console and are contextualized to help you with vulnerability management.

Software Composition Analysis

For each vulnerability identified in an SCA scan, Prisma Cloud contextualizes it as a CVE (Common Vulnerabilities and Exposures) for open source package managers. CVE is publicly available information on cybersecurity vulnerabilities and exposures often listed by Mitre corporation. Each CVE has an ID that uniquely identifies one vulnerability from the list. In addition to the CVE ID, on Prisma Cloud you can view CVSS (Common Vulnerability Scoring System), an open framework for calculating the severity of software vulnerabilities defined by NIST. With CVE ID, CVSS, package name and version, Prisma Cloud also gives you Risk Factors to help you with your vulnerability management that is associated with each scanned package and have seven defined categories..

Risk Factor	Description
Remote execution	This helps you understand if the vulnerability is exploitable to run arbitrary code.
DoS	This helps you understand if the package is vulnerable to Denial-of-Service attacks, like buffer overflow attacks, ICMP floods and so on.
Recent vulnerability	This helps you identify when the vulnerability was previously reported.
Exploit exists	Helps you recognize if the code and procedures to exploit the vulnerability are publicly available.
Attack complexity	This helps you understand if the vulnerability is easily exploitable.
Attack vector	This helps you understand if the vulnerability is remotely exploitable for being bound to the network and identify if there are any threats through the network.
Reachable from the internet	This helps you understand if the vulnerability exists in a container that is exposed to the internet.

You can view the SCA scan results on:

Integrations

You can monitor SCA scan results in your development lifecycle through integrations of development environments (IDEs) where scan results are in line with package manager files as you code, helping you commit secure code before deployment. In version control system (VCS) integrations with GitHub and GitLab, vulnerability findings are accessible in pull requests that include information on the CVE ID, severity, CVSS score and the minimum package version to remediate the vulnerability.

Checkov

During your code development or through a CI/CD pipeline you can identify SCA violations in vulnerabilities and licenses by running Checkov. By running Checkov you can natively scan all your files or choose to specifically identify SCA violations by using --framework sca_package. In this example, you see the scan result of a Checkov run for an SCA scan.

Projects

During periodic scans on Prisma Cloud the SCA scan results are updated and contextualized for monitoring and remediating package vulnerabilities identified in the source code on Application Security > Projects
. To view results exclusively for SCA scan results enable Category
- Vulnerability
.

The contextualized information for each package is available on the Resource Explorer. The scan results outline direct and sub-dependency packages in the source code to help you make informed decisions for each type of package. In this example, you see the scan result of a direct dependency package with contextualized information of a package vulnerability in Resource Explorer > Errors
.

In this example, you see the scan result of a sub-dependency package with contextualized information of a package vulnerability in Resource Explorer > Errors
.

Supply Chain
For a deeper understanding of sub-dependent packages, view the dependency tree on Application Security > Supply Chain
. On Supply Chain, Prisma Cloud visualizes the package dependency tree and provides you with contextual information on each identified package and vulnerability on Resource Explorer.

Remediate vulnerabilities for SCA

Remediation for SCA scan results can be performed on the console from Projects and Supply Chain.

Projects

For identified package vulnerabilities, especially packages with direct dependencies, Prisma Cloud provides an automated fix solution for bumping the package version. Additionally, if there are vulnerabilities found in sub-dependency packages, Prisma Cloud offers a solution to bump the root version of the package to the nearest secure version, irrespective of the source of vulnerability.

Access Application Security > Projects
and then filter a repository using .

Select Category
- Vulnerability
to view SCA errors.

Select the package to remediate.

The console displays a notification informing you on the minimum package version available for bumping. The suggestion ensures the bumping does not contain any vulnerability and minimizes chances of breaking code in packages.

In this example of a direct dependency package, you see the notification displaying “1/1 security vulnerabilities can be fixed by a bump from v5.1.2 to v5.2.2”.

For vulnerabilities found in a sub-dependency package, a bump fix suggestion will also highlight other vulnerabilities that will be remediated.

In this example, you see “8/10 security vulnerabilities can be fixed by a bump from v3.2.8 to v3.2.13”
notification highlighting the other seven vulnerabilities that will be remediated with the minimum version change.

Select Fix
.

Select Submit
to enable the fix solution.

Supply Chain

As a remediation for sub-dependent packages, you can view and analyze the dependency tree on Application Security > Supply Chain
. If the packages have direct dependencies irrespective of their placement in the dependency tree, Prisma Cloud offers solutions to these vulnerabilities. Here you can also choose to remediate the vulnerability by submitting a single PR (Pull Request) for all packages with vulnerabilities on the graph.

Access Application Security > Supply Chain
and then select Repository filter to view the dependency tree.

Select packages to view the corresponding information on Resource Explorer.

Select Submit a Pull Request
to submit a single PR for all identified vulnerabilities.

Suppress vulnerabilities for SCA

Every identified vulnerability in an SCA scan can be suppressed on the console from Projects. Suppressing a vulnerability absolves the next scan from identifying it through a suppression rule. The suppression rule must have a definitive explanation indicating the non-conformance to be not problematic.

Access Application Security > Projects
and then select Category
- Vulnerability
.

Select the vulnerability to suppress.