Lucent Sky AVM has three groups of analysis engines, binary analysis, source code analysis, and dependency analysis. Binary analysis and source code analysis scan applications for unknown vulnerabilities such as SQL injection, cross-site scripting, weak encryption, and such. These unknown vulnerabilities are categorized by a CWE ID. Dependency analysis, on the other hand, scans applications' dependencies for known vulnerabilities in both open source and proprietary software products and components. These known vulnerabilities usually have a CVE ID and have at least one underlying CWE ID.
This article describes how to scan application dependencies for known vulnerabilities and configure the behaviors of dependency analysis.
In this article, you will learn how to:
- Scan application dependencies for known vulnerabilities.
- Configure the behaviors of dependency analysis.
At the end, you will be able to scan an application's dependency for known vulnerabilities and to configure the behaviors of dependency analysis.
Scan application dependencies for known vulnerabilities
To scan an application's dependencies for known vulnerabilities, enable the Dependency vector in either application settings or scan settings.
When a known vulnerability is found, it will be categorized as its primary CWE ID if that CWE ID is enabled in the scan's weakness policies. If not, it will be categorized as CWE-1104: Use of Unmaintained Third Party Components. For example, if a scan identifies a component with CVE-2021-44228, it will be categorized as CWE-502 if CWE-502 is enabled in the weakness policies. Otherwise, it will be categorized as CWE-1104.
Configure the behaviors of dependency analysis
In addition to dependency analysis, the dependency analysis engines also power advanced dependency discovery. Dependency discovery helps binary and source code analysis engines identify well-known software components, so they can be analyzed more efficiently. Advanced dependency discovery uses over 60 signals to accurately identify an application's dependencies. However, advanced dependency discovery does not work with all types of applications and might not work on some misconfigured applications. If advanced dependency discovery is not available, dependency analysis cannot be performed.
If Dependency vector is not enabled for a scan, advanced dependency discovery will be attempted. If it is not available, the scan will fallback to basic dependency discovery. If the Dependency vector is enabled for a scan, the scan will fail if advanced dependency discovery is not available.
To explicitly use basic dependency analysis, set the DependencyDiscovery scan argument to basic.