Software Composition Analysis

Docs > Datadog Security > Application Security Management > Software Composition Analysis

Overview

Datadog Software Composition Analysis (SCA) helps you leverage open source with confidence. The capabilities of SCA include vulnerability detection, business risk (library inventory and licensing information), and quality evaluation of the open source libraries in your services.

What makes Datadog SCA unique is its end-to-end coverage of your software development lifecycle: from the code that your developers commit, to the production applications already running in your Datadog deployment.

Datadog SCA uses a curated proprietary database. The database is sourced from Open Source Vulnerabilities (OSV), National Vulnerability Database (NVD), GitHub advisories, and other language ecosystem advisories. Additionally, the Datadog Security research team evaluates vulnerabilities and malware findings. For more information, see the GuardDog GitHub project.

Check ASM Compatibility to see if your service is supported.

Library Inventory

The Datadog SCA Library Inventory helps you understand the list of libraries and its versions that compose your application. To access the Library Explorer, navigate to Security > Application Security > Catalog > Libraries.

Since Datadog SCA covers your software development lifecycle end-to-end, the libraries are detected throughout the entire lifecycle of the application. The library inventory contains everything you need to know about the libraries, including name and version, and other risk aspects such as licenses and quality aspects.

Software Composition Analysis (SCA) library explorer page showing library vulnerabilities grouped by library.

Explore and manage SCA vulnerabilities

Datadog Software Composition Analysis can find vulnerable libraries across the software development lifecycle (SDLC). Application Security summarizes results found in the default branches of your repositories and in your running services. To view vulnerabilities found in different branches and commits, see Code Analysis for more details.

The Vulnerability Explorer shows a complete list of the open source libraries detected by Datadog SCA and reports security vulnerabilities associated with them.

Datadog SCA leverages two techniques to analyze your services:

Static code analysis in your repositories (static point of view)
Runtime analysis in your deployed services (runtime point of view)

Combining both techniques monitors open source libraries end-to-end, from the code repository commit (static point of view), to the applications running in production (runtime point of view).

To switch to the code repository commit point of view, select Static. The static view shows vulnerabilities from the source code in your repositories.

To switch to the real-time point of view for the applications already running, select Runtime. The runtime view is the live view of the services monitored by Datadog.

Software Composition Analysis (SCA) explorer page showing vulnerabilities sorted by static or runtime.

Select a specific vulnerability to see its details, including the affected services, severity breakdown score, and recommended remediation steps.

On the Details Explorer for a vulnerability, you can view impacted infrastructure. This view gives you better insights to your overall attack exposure.

Within ASM, the vulnerability severity base score is modified using existing attacks and the business sensitivity of the environment where the vulnerability is detected. For example, if no production environment is detected, the severity is reduced.

The adjusted vulnerability score includes the full context of each service:

The original vulnerability severity
Evidence of suspicious requests
Sensitive or internet-exposed environments

Vulnerability details page showing a modified severity score

See Getting Started with Software Composition Analysis for more information on the adjusted vulnerability score.

Remediation

The Vulnerability Explorer offers remediation recommendations for detected vulnerabilities. Recommendations enable you to change the status of a vulnerability, assign it to a team member for review, and create a Jira issue for tracking. They also include a collection of links and references to websites or information sources to help you understand the context behind each vulnerability.

Note: To create Jira issues for SCA vulnerabilities, you must configure the Jira integration, and have the manage_integrations permission. For detailed instructions, see the Jira integration documentation, as well as the Role Based Access Control documentation.

Application Vulnerability Management vulnerability details page showing affected services, links to infrastructure, suggested remediation, and links to more information.

Configure Code Analysis

Try the Beta!

Code Analysis is in public beta.

Software Composition Analysis contains additional capabilities to allow you to scan for vulnerabilities in your CI pipelines by using Code Analysis. With SCA for Code Analysis, you can identify vulnerable open source libraries that have been imported into your codebase.

To configure vulnerabilities in your CI pipelines, navigate to Security -> Application Security -> Settings.

Click Get Started to enable Software Composition Analysis for static analysis in source code, and select and configure your CI/CD provider.

See Getting Started with Software Composition Analysis for more detailed instructions.

Software Composition Analysis setup page, showing CI setup.

Risk information in APM views

Software Composition Analysis enriches the information APM is already collecting, and flags libraries that match with current vulnerability advisories. Potentially vulnerable services are highlighted directly in the Security view embedded in the APM Service Catalog.