| Detection Target |
Using XSBOM to provide global real-time digital supply chain intelligence, SCA Automatically Comb Through Third-Party Component Assets in Digital Applications and Review Them for Known Vulnerabilities, Malicious Code, and License Compliance Risks |
| Detection Object |
Source code files:
code repositories, feature files of local source code projects, and source code files |
Source code snippets:
code snippets of code bases, local source code projects, and function-level code features |
Binary:
mobile applications Android/iOS, IoT firmware, embedded systems, etc |
Container images:
Docker images and OCI standard images |
Runtime application:
During application execution, runtime instrumentation detection technology is used to detect third-party component components loaded by the application during real operation |
Source code, binaries, container images, source code fragments, runtime applications, and more |
| Detection Scenario |
Development and Testing Phase
|
Development and Testing Phase
|
Delivery and Procurement Phase
|
Delivery and Procurement Phase
|
Testing and Online Operation Phase
|
Full supply chain stage
|
| Core Competencies |
Supports a variety of detection methods: dynamic simulation of the build environment, static feature files, accurate hash matching, project structure similarity detection, and vulnerability exploit link reachability verification |
Supports real-time synchronization of code fingerprint databases with various open source code hosting platforms, and supports analyzing the similarity of code fragments between user code projects and open source projects, as well as whether there is a risk of AI-generated code infringement |
Supports rich compression formats and file format analysis, and supports risk detection of a large number of common components of vehicle systems, SDKs, and firmware |
Supports image hierarchical dependency graph construction, malicious components, malware detection, backdoor/escape risk detection, and sensitive information scanning |
Dynamic component discovery is supported, and third-party component versions are identified by monitoring the files loaded by the process. |
Supports the full lifecycle management of SBOM and provides high-value intelligence such as vulnerability fixes and mitigation plans, license compliance interpretation, and supply chain poisoning in real time |
| Detection Difficulty |
Medium difficulty, the source code file contains complete information, and the results are more interpretable and accurate. Among them, the technical threshold for the customer's local environment simulation construction and project structure similarity detection is high |
High difficulty,When developing and introducing third-party projects, the code will be refactored (such as variable renaming, logical equivalent substitution), and Source SCA uses code semantic-level feature extraction to weaken surface syntax differences and lead the detection accuracy in the industry |
High difficulty,The requirements for detection algorithms are higher, and it is necessary to continuously maintain and optimize the feature database, and specially expand the collection of common components, SDKs, vulnerabilities, and malware for file objects such as mobile applications and firmware |
High difficulty,In addition to parsing the standard metadata of image configuration files, Source SCA integrates source code dependent SCA and binary SCA through source code, and can perform in-depth detection of self-developed and customized software developed by enterprises |
High difficulty,Through runtime monitoring technology, third-party components can be loaded when the inspection program is running, which supports runtime reachability verification and high detection accuracy |
High difficulty,Through the "five analysis engines" and SBOM full-cycle management technology, the open source digital supply chain security intelligence is linked to achieve real-time risk warning at the hourly level |
| Technical Characteristics |
Source code is required, which cannot be provided by customers in some scenarios, such as software developed by vendors |
Source code is required, which cannot be provided by customers in some scenarios, such as software developed by vendors |
No source code is required, binary files can be uploaded, which is less intrusive and has little data security risk |
No source code is required, Upload the container image file |
No source code is required, and it is easy to integrate, monitor, and repair with the application |
Needs to be linked with digital supply chain security intelligence, and high-efficiency scenarios need to be updated online in real time |
| Industry value |
Avoid risks such as introducing vulnerabilities in the development stage, poisoning the supply chain, and licensing compliance |
IP compliance and supply chain transparency |
It meets high security requirements such as the Internet of Vehicles and the Industrial Internet of Things |
Secure cloud-native delivery |
Ensure equipment operational compliance |
Digital supply chain intelligence responds in a timely manner, and compliance and supply chain transparency are achieved |
在线咨询