Home
Software Composition Analysis
Use Software Composition Analysis (SCA) to scan for security vulnerabilities in open source and third-party packages used by your code. SCA includes Intelligent Finding Analytics (IFA) and Intelligent Code Analytics (ICA).
About Software Composition Analysis
Software Composition Analysis (SCA) identifies and examines open-source packages within your codebase to detect potential security vulnerabilities. SCA can analyze both individual source code files and package manager artifacts, such as configuration files, and lockfiles, to determine the open-source packages your project depends on.
SCA workflow and best practices
Overview of steps for Software Composition Analysis scanning and best practices

Getting started
Welcome to the documentation for HCL AppScan on Cloud, where you can find information about how to install, maintain, and use this service.
Navigation
This section describes the items on the main AppScan on Cloud menu bar, with links to more detailed information.
Administration
Define users, applications, policies, and configure DevOps integrations.
Dynamic analysis
AppScan on Cloud performs security scans for web-applications for production, staging and development environments. For development environments it is aided by Private Site Scanning technology to scan applications not accessible to the open Internet.
Interactive monitoring
Using an agent installed on your application, ASoC identifies security vulnerabilities in your application during runtime by monitoring all interactions, both legitimate and malicious. The process is "passive," in the sense that IAST does not send its own tests, and can therefore run indefinitely.
Software Composition Analysis
Use Software Composition Analysis (SCA) to scan for security vulnerabilities in open source and third-party packages used by your code. SCA includes Intelligent Finding Analytics (IFA) and Intelligent Code Analytics (ICA).
- About Software Composition Analysis
  Software Composition Analysis (SCA) identifies and examines open-source packages within your codebase to detect potential security vulnerabilities. SCA can analyze both individual source code files and package manager artifacts, such as configuration files, and lockfiles, to determine the open-source packages your project depends on.
  - SCA workflow and best practices
    Overview of steps for Software Composition Analysis scanning and best practices
- System requirements for SCA
  The types of files that can be scanned by ASoC when you perform open source testing.
- Scanning libraries and third-party code for security vulnerabilities
  To scan open source libraries and third-party code for security vulnerabilities, follow the steps in these topics.
- SCA scan results
  Features available in SCA scan results.
Static analysis
Use static analysis (SAST) to scan for security vulnerabilities in web and desktop applications. Static analysis includes Intelligent Finding Analytics (IFA) and Intelligent Code Analytics (ICA).
Results
The Scans and Sessions page lists the scans under the categories DAST, SAST, SCA, and IAST, where you can view your scan results, including scan statistics. To view, rescan, or download reports, select a scan.
Troubleshooting
If you experience problems with this service, you can perform these troubleshooting tasks to determine the corrective action to take.
FAQ & Reference
Frequently asked questions, information about integrating ASoC into the product lifecycle (SDLC), and ASoC API documentation.

SCA workflow and best practices

Overview of steps for Software Composition Analysis scanning and best practices

The general steps for performing SCA scanning are as follows. Additional steps may be required to meet your scanning goals.

Note: Users must be assigned an appropriate role to perform SCA scanning. If you are unsure whether your user role has appropriate permissions, consult your organization's ASoC Administrator.

Create an application.
Decide which mechanism you will use to prepare files for scanning and set it up accordingly:
- Static Analyzer Command Line Utility
- AppScan Go!
- a supported plugin
Generate an IRX using your preferred method.
Create and configure a scan.
Review scan preferences.
Run the scan.
Review results.
Triage and remediate issues.
Repeat steps three through eight as needed.

Best practices

By following these best practices, you can optimize the effectiveness of SCA in identifying and mitigating vulnerabilities within your project's open-source components:

For projects utilizing package managers, SCA can construct a detailed dependency tree, offering insights into both direct and transitive dependencies. Scanning package manager configuration files yields more accurate results than scanning source files alone, as most dependencies are resolved only after the project is built using the package manager.
Note: Location of packages sourced in configuration scanning will point to the configuration files and not the physical location of the libraries.
When only package management files are present (no lockfiles), the AppScan CLI attempts to build the project using available local build tools to ensure all dependencies are resolved. It is always better to build your own projects.
If no configuration files and lockfiles are detected, SCA default to best effort scanning, utilizing individual source files by hashing each file and comparing it against known data sources.