SourceClear Overview

SourceClear Software Composition Analysis

What SourceClear Does

SourceClear provides a way to easily check the open-source libraries used in your code repositories for vulnerabilities. By using the native build and package managers that manage your open-source libraries, SourceClear can accurately identify vulnerabilities in your open-source code and provide fix information for vulnerabilities you have in your code.

How SourceClear Does It

Developers can use SourceClear on their desktop or with their continuous integration server. The SourceClear agent scans the application by building it with its native build or package manager and creating a call graph of the entire application. This call graph shows line by line of code that is affected by a vulnerability, including all direct and transitive dependencies of the code. When the agent finds a vulnerability, SourceClear determines whether the application uses the vulnerable part of the component, identifies the vulnerable methods used in the library, and supplies full stack traces back to the developer about which line of code is calling the vulnerable method. You can find details on this and what we collect from your environment during the scanning process in Evidence Collection.

What SourceClear Knows

When SourceClear identifies the direct and transitive open-source libraries in your code, it provides substantial information including, but not limited to the following:

  • Vulnerability write-ups
  • Vulnerability exploit code
  • Fixed library versions
  • Outdated libraries in use
  • Indication of whether the vulnerable part of the library is being used, and where it is being used in your code

SourceClear provides the above information about the vulnerabilities in the SourceClear Vulnerability Database, in addition to discovering vulnerabilities in a variety of ways. If you want to read more about our vulnerability discovery methods, read more about the science behind it.

The SourceClear Research Process

SourceClear uses multiple methods to identify open-source libraries, based on accuracy and availability for each language and package manager. These methods include build coordinates, SHA-2 file hashes, proprietary byte-code hashes, and file names. For each identified library, SourceClear reports the vulnerabilities based on its vulnerability database, which is built using machine learning and natural language processing over a variety of public sources that contain information about open-source libraries including NVD, GitHub commits, GitHub issues, Jira boards, Bugzilla, mailing lists, vendor advisory lists, and other security-relevant websites and discussion boards. Due to this unique approach, SourceClear is able to identify vulnerabilities that have not yet been reported by the NVD in addition to the ones that already have. The SourceClear research team goes through every item flagged by the machine learning model, reviews the code where the potential vulnerability was discovered, and confirms if it is a vulnerability. Once confirmed, SourceClear adds a CVSS score, descriptions of the vulnerability, and remediation advice to the database.

For more information on how to get started with SourceClear, see the list ofDeployment Options.