Software Composition Analysis
Application Security Management is not supported for your selected
Datadog site (
).
Overview
Datadog Software Composition Analysis (SCA) helps you leverage open source with confidence. The capabilities of SCA include vulnerability detection, business risk (library inventory and licensing information), and quality evaluation of the open source libraries in your services.
What makes Datadog SCA unique is its end-to-end coverage of your software development lifecycle: from the code that your developers commit, to the production applications already running in your Datadog deployment.
Datadog SCA uses a curated proprietary database. The database is sourced from Open Source Vulnerabilities (OSV), National Vulnerability Database (NVD), GitHub advisories, and other language ecosystem advisories. Additionally, the Datadog Security research team evaluates vulnerabilities and malware findings. For more information, see the GuardDog GitHub project.
Check the ASM Compatibility for each ASM product to see if your service is supported.
Library Inventory
The Datadog SCA Library Inventory helps you understand the list of libraries and its versions that compose your application. To access the Library Explorer, navigate to Security > Application Security > Catalog > Libraries.
With Datadog SCA spanning your software development lifecycle from code to production, it detects libraries throughout the lifecycle of an application and alerts you to vulnerabilities, risks, licenses, and more.
Explore and manage SCA vulnerabilities
Datadog Software Composition Analysis can find vulnerable libraries across the software development lifecycle (SDLC). Application Security summarizes results found in the default branches of your repositories and in your running services. To view vulnerabilities found in different branches and commits, see
Code Analysis for more details.
The Vulnerability Explorer shows a complete list of the open source libraries detected by Datadog SCA and reports security vulnerabilities associated with them.
Datadog SCA leverages two techniques to analyze your services:
- Static code analysis in your repositories (static point of view)
- Runtime analysis in your deployed services (runtime point of view)
Combining both techniques monitors open source libraries end-to-end, from the code repository commit (static point of view), to the applications running in production (runtime point of view).
To switch to the code repository commit point of view, select Static. The static view shows vulnerabilities from the source code in your repositories.
To switch to the real-time point of view for the applications already running, select Runtime. The runtime view is the live view of the services monitored by Datadog.
Select a specific vulnerability to see its details, including the affected services, severity breakdown score, and recommended remediation steps.
On the Details Explorer for a vulnerability, you can view impacted infrastructure. This view gives you better insights to your overall attack exposure.
Datadog Severity Score
Each vulnerability has a defined base severity score. To assist in prioritizing remediation, Datadog modifies the base CVSS score into the Datadog Severity Score by considering evidence of suspicious requests or attacks, the business sensitivity or internet exposure of the environment, and the risk of a successful exploit.
Four score modifiers may apply to a base score. Two are provided by runtime context:
- Vulnerability is in production
- Service affected by vulnerability is under attack
Two are provided by CVE context:
- Whether an exploit is available
- The exploitation probability
Datadog shows how the base CVSS score is adjusted to the Datadog Severity Score based on the factors above.
See Getting Started with Software Composition Analysis for more information on the adjusted vulnerability score.
The Vulnerability Explorer offers remediation recommendations for detected vulnerabilities. Recommendations enable you to change the status of a vulnerability, assign it to a team member for review, and create a Jira issue for tracking. They also include a collection of links and references to websites or information sources to help you understand the context behind each vulnerability.
Note: To create Jira issues for SCA vulnerabilities, you must configure the Jira integration, and have the manage_integrations
permission. For detailed instructions, see the Jira integration documentation, as well as the Role Based Access Control documentation.
Software Composition Analysis (SCA) contains additional capabilities to allow you to scan for vulnerabilities in your CI pipelines by using Code Analysis. With SCA for Code Analysis, you can identify vulnerable open source libraries that have been imported into your codebase.
To configure vulnerabilities in your CI pipelines, navigate to Security -> Application Security -> Settings.
In Software Composition Analysis (SCA), click Get Started to enable Software Composition Analysis, and select your repositories and services.
See Getting Started with Software Composition Analysis for more detailed instructions.
Software Composition Analysis enriches the information APM is already collecting, and flags libraries that match with current vulnerability advisories. Potentially vulnerable services are highlighted directly in the Security view embedded in the APM Service Catalog.
Disable Software Composition Analysis
For information on disabling Software Composition Analysis, see Disabling Software Composition Analysis.
Further reading
Additional helpful documentation, links, and articles: