Development of microservice for comparing software composition analysis tool
There is a growing number of open source libraries and it is commonly used within projects today to reduce the workload of software developers. However, the risk that comes with using open source libraries is that vulnerabilities are commonly found within these libraries due to their open source nat...
Saved in:
| Main Author: | |
|---|---|
| Other Authors: | |
| Format: | Final Year Project |
| Language: | English |
| Published: |
Nanyang Technological University
2020
|
| Subjects: | |
| Online Access: | https://hdl.handle.net/10356/138792 |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Institution: | Nanyang Technological University |
| Language: | English |
| Summary: | There is a growing number of open source libraries and it is commonly used within projects today to reduce the workload of software developers. However, the risk that comes with using open source libraries is that vulnerabilities are commonly found within these libraries due to their open source nature. The purpose of Software Composition Analysis (SCA) tools is to address to issue. SCA tools provides a list of dependencies used within the project and any vulnerabilities associated with it. There are currently multiple SCA tools on the market such as Scantist, Snyk, Whitesource and Blackduck all claiming to provide accurate results.
This project focused on building a microservice to automate the scanning of repositories across multiple SCA tools on the market. After which projects were scanned and the results were compared to determine the similarity among the results of the Software Composition Analysis tools. The project was split into 3 main portions, obtaining the repository to scan, scanning the repository through the SCA tools and finally obtaining and parsing the results into the desired format. The comparison used repositories that uses specific package managers such RubyGem, NPM and Maven. These projects were scanned using the microservice to obtain the results across the SCA tools. The results were then compared by finding the number of dependencies and vulnerabilities that were similar among the SCA tools’ results. |
|---|