Top 12 sca Open-Source Projects

• dependency-track

  18 2,329 9.8 Java

  Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain.

  

Project mention: Show HN: Pre-alpha tool for analyzing spdx SBOMs generated by GitHub | news.ycombinator.com | 2024-04-21

I've become interested in SBOM recently, and found there were great tools like https://dependencytrack.org/ for CycloneDX SBOMs, but all I have is SPDX SBOMs generated by GitHub.

I decided to have a go at writing my own dependency track esque tool aiming to integrate with the APIs GitHub provides.

It's pretty limited in functionality so far, but can give a high level summary of the types of licenses your repository dependencies use, and let you drill down into potentially problematic ones.

Written in NextJS + mui + sqlite, and using another project of mine to generate most of the API boilerplate/glue (https://github.com/mnahkies/openapi-code-generator)

• scancode-toolkit

  4 1,972 9.6 Python

  :mag: ScanCode detects licenses, copyrights, dependencies by "scanning code" ... to discover and inventory open source and third-party packages used in your code. Sponsored by NLnet project https://nlnet.nl/project/vulnerabilitydatabase, the Google Summer of Code, Azure credits, nexB and others generous sponsors!

  

Project mention: ScanCode: Scan license and packages, dependencies and origin information | news.ycombinator.com | 2023-08-11

• InfluxDB

  www.influxdata.com sponsored

  Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.

  

• pay

  17 1,813 9.1 Ruby

  Payments for Ruby on Rails apps

  

Project mention: Implement paypal in my Rails 6 app | /r/rails | 2023-07-06

I believe he was talking about the gem called "pay", see https://github.com/pay-rails/pay

• ort

  3 1,475 9.9 Kotlin

  A suite of tools to automate software compliance checks.

  

• dep-scan

  3 699 8.8 Python

  OWASP dep-scan is a next-generation security and risk audit tool based on known vulnerabilities, advisories, and license limitations for project dependencies. Both local repositories and container images are supported as the input, and the tool is ideal for integration.

  

Project mention: Show devsecops: OWASP dep-scan v5 - a next-generation security and risk audit tool for everyone | /r/devsecops | 2023-12-05

Depscan v5 is the first opensource SCA tool that can perform precision reachability analysis for Java, JavaScript/TypeScript, and Python applications to triage and prioritize the results. We invented an automatic symbols tagger, a lightweight data-flow analyzer, and a static slicer to compute all reachable flows with or without vulnerabilities. We open-sourced all our work, including the specification.

• log4j-detector

  8 631 0.0 Java

  A public open sourced tool. Log4J scanner that detects vulnerable Log4J versions (CVE-2021-44228, CVE-2021-45046, etc) on your file-system within any application. It is able to even find Log4J instances that are hidden several layers deep. Works on Linux, Windows, and Mac, and everywhere else Java runs, too! TAG_OS_TOOL, OWNER_KELLY, DC_PUBLIC

  

• cdxgen

  3 448 9.5 JavaScript

  Creates CycloneDX Software Bill of Materials (SBOM) for your projects from source and container images. Supports many languages and package managers. Integrate in your CI/CD pipeline with automatic submission to Dependency Track server. Slack: https://cyclonedx.slack.com/archives/C04NFFE1962

  

Project mention: Show devsecops: OWASP dep-scan v5 - a next-generation security and risk audit tool for everyone | /r/devsecops | 2023-12-05

Today, it gives me great pleasure to announce OWASP dep-scan v5. Like everyone, I was constantly frustrated with the amount of false positives generated by all Software Composition Analysis tools (including mine) and wanted to do something. I worked closely with a few colleagues (Caroline, Tim, Saket, and David) for a year to build the various capabilities that together form depscan v5.

• WorkOS

  workos.com sponsored

  The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.

  

• scancode.io

  1 88 9.3 Python

  ScanCode.io is a server to script and automate software composition analysis pipelines with ScanPipe pipelines. This project is sponsored by NLnet project https://nlnet.nl/project/vulnerabilitydatabase/ Google Summer of Code, nexB and others generous sponsors!

  

• clj-watson

  5 66 6.5 Clojure

  clojure deps SCA

  

• Log4j-CVE-Detect

  1 34 5.0 YARA

  Detections for CVE-2021-44228 inside of nested binaries

• sca

  2 7 0.0 JavaScript

  Apply sound changes automatically to a set of words.

• Veracode

  4 2 8.8 PowerShell

  Exemplos de código e tutoriais para implementações Veracode

  

sca related posts

• Show devsecops: OWASP dep-scan v5 - a next-generation security and risk audit tool for everyone
  3 projects | /r/devsecops | 5 Dec 2023
• cdxgen
  1 project | /r/devopspro | 29 Jan 2023
• Sound change appliers
  1 project | /r/conlangs | 28 Jun 2022
• A package pretending to be the roblox API removed from NPM
  1 project | /r/javascript | 28 Oct 2021
• TriSCA - a new web-based sound change applier
  1 project | /r/conlangs | 9 Mar 2021
• A note from our sponsor - InfluxDB
  www.influxdata.com | 29 Apr 2024

  Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality. Learn more →

Index

Sponsored

SaaSHub - Software Alternatives and Reviews

SaaSHub helps you find the best software and product alternatives

www.saashub.com