Deployment Options

SourceClear Software Composition Analysis

Introduction

SourceClear is a set of technologies that helps teams use open-source safely while building secure software. The solution integrates transparently into the existing software development process with minimal change or impact. The SourceClear platform has a number of options to choose from and each option is designed for specific use cases. A typical enterprise deployment consists of a combination of these options that work together where options are chosen to match the team structure, team process, and existing toolchain.

SourceClear Web Platforms

Online Portal

The online portal is the heart of any SourceClear deployment and is where users can analyze the various issues identified by SourceClear. The portal is hosted online at a custom domain called an Organization, which maps to a business unit or organization. You can find additional details on organizations here or click here to create an organization.

SourceClear Vulnerability Database

The SourceClear Vulnerability Database is a resource for users to explore SourceClear's massive database of open-source libraries along with the growing list of vulnerabilities discovered and curated by SourceClear researchers. You can perform searches for specific libraries or vulnerabilities to find details. You can learn more about the Vulnerability Database in the SourceClear Vulnerability Database documentation.

SourceClear Scanning Agents

Command-Line Interface

The SourceClear command-line interface (CLI) is a command line tool designed to be run from your desktop. You can install and run the CLI on Mac OSX or Linux with installation and updates using the HomeBrew system on Apple, and as a downloadable installer for other operating systems. The CLI is designed for users who want to test their source code locally before pushing it to a continuous integration or continuous delivery platform, or who want to scan their code manually. The CLI reports basic results to standard output, or optionally in JSON format, and generates detailed and customizable results on the portal.

In general, if you can build or package a project with default options, the CLI can complete its analysis. If your software has a complex build process or requires advanced configuration, the CLI may not be able to complete its analysis. For example, the CLI may not complete an analysis if it requires access to private repositories and environmental settings to scan. The CLI is a one­time analysis tool that does not automatically re-run when source code is changed or software is rebuilt. You can point the CLI at a local file system or a Git URL, which performs a shallow clone of the repository located at the URL, run a scan, and delete the cloned repository from your local file system.

Plugins for Build and Package Managers

SourceClear provides plugins for Maven and Gradle, which are designed to be run from within the team’s continuous integration or continuous delivery pipeline, or alternatively on local builds on a developer’s desktop. These plugins typically install and run automatically each time a build job is executed, inheriting directly from the build definition files stored in the team source code management system.

Plugins for build and package managers are designed for teams and individual developers who familiar with making configuration changes and want full control over their software build process. When used centrally as part of the continuous integration pipeline, the plugins allow teams to check the security quality of their open-source code every time code is built. When used locally, the plugins allow developers to check their local copy of their software for defects before committing changes to the team.

Build and package management plugins must be added to each project implicitly.

Plugin for Continuous Integration Servers

The continuous integration (CI) server agent runs on your network and plugs into your continuous integration server. SourceClear provides a single cURL command, which pulls down the latest version of the agent and performs a scan for any CI software within a Linux-based environment.

The plugin for CI servers inherits the advantages and disadvantages of the plugins for build and package managers with the added advantage that they report directly into the same reporting and alerting system that already exists in the CI server. There are numerous configuration options for the CI agent, as it uses the same code base as the CLI agent.