< All Topics
Print

SCA integration – need additional action

This document provides an overview of the Software Composition Analysis (SCA) scanning process within Mixeway Flow, highlighting the differences from Static Application Security Testing (SAST), Secrets, and Infrastructure as Code (IAC) scans. It emphasizes the necessity of generating a Software Bill of Materials (SBOM) file to ensure accurate dependency tracking and scanning results.

In Mixeway Flow, SCA scanning operates differently compared to SAST, Secrets, or IAC scans, which typically require no additional configuration. Modern development frameworks such as NPM, Maven, and PIP allow developers to use third-party libraries without strictly defining their versions. This variability can lead to discrepancies in scanning results, making it imperative to have precise data for effective SCA scanning. Therefore, relying solely on source code for SCA scans is insufficient.

To leverage the SCA scanning capabilities of Mixeway Flow, it is essential to generate and store an sbom.json file within the root directory of your repository. This file contains comprehensive information about all dependencies in your codebase. When Mixeway Flow detects the presence of the sbom.json file in the repository’s root directory, it utilizes this file in conjunction with Dependency-Track to perform the SCA scan.

Generating the SBOM file can be accomplished through various methods, with one of the most convenient being the use of OWASP CycloneDX plugins. Below are links to the relevant plugins for different frameworks:

  • Maven: [CycloneDX Maven Plugin](https://github.com/CycloneDX/cyclonedx-maven-plugin)
  • NPM: [CycloneDX NPM Package](https://www.npmjs.com/package/@cyclonedx/cyclonedx-npm)
  • PIP: [CycloneDX BOM for PIP](https://pypi.org/project/cyclonedx-bom/)

By following these guidelines and utilizing the appropriate tools, developers can ensure that their SCA scans are accurate and effective, ultimately enhancing the security and reliability of their applications.

Table of Contents