Is Software Composition Analysis planned in the future?

Dear community,

as the Digital Operational Resilience Act is going to take effect for the financial sector next year, and it requires, among other things, Software Composition Analysis (SCA), I wanted to ask if this feature is planned for the next releases?

Thanks in advance!

Hi matim, I checked this some time ago with some internals at SonarSource and apparently there was no particular interest in SCA. Maybe this has now changed, it’d be good to have the view of a SonarSourcer here!

In the meantime, there are other options. You can for example use the dependency-check plugin ( Dependency-Check | SonarQube™ Plugins Index ) which is free and can be used for the community edition. In terms of commercial solutions, I would suggest you checkout Meterian, a commercial SCA platform that is affordable, more precise, and provides a native plugin for SonarQube ( SonarQube | Meterian )

1 Like

Hi John,

thanks for your response and the recommended plugin. Our backup solution would be probably the Dependency Check Plugin for Azure Devops.

Of course, it would be nicer if this functionality will be covered in SonarQube, similar to other SAST tools.
But perhaps there will be a future strategic direction of SonarSource towards SCA. As I said, the regulatory requirements will dictate this from next year. In my opinion, this would be a good business case for SonarSource to cover this functionality.

Thanks for asking @matim and for your response @John_S_Blatter!

My input: We (Sonar) have nothing to share right now about our plans for SCA. I do not think we will have nothing to share forever. It is a frequent ask we aren’t ignoring.

Sorry delete by mistake. On our side we are looking it for compiance with the upcoming EU CRA. Which regulation are you looking at, if I may ask?

Hello Bruno,

the regulation we are looking at is called DORA: Digital Operational Resilience Act (DORA) - European Union (europa.eu)

Here is a short cite from the regulation and its requirements regarding security testing.

To respond to differences across and within the financial subsectors regarding the financial entities’ cybersecurity preparedness, testing should include a wide variety of tools and actions, ranging from
EN 22 EN an assessment of basic requirements (e.g. vulnerability assessments and scans, open source analyses, network security assessments, gap analyses, physical security reviews, questionnaires and scanning software solutions, source code reviews where feasible, scenario-based tests, compatibility testing, performance testing or end-to-end testing) to more advanced testing (e.g. TLPT for those financial entities mature enough from an ICT perspective to be capable of carrying out such tests).

Hi Colin,

thanks for your feedback. Do you have experience with the plugin SonarQube | Meterian? I’m aware that you can’t take responsibility for third-party plugins, but a personal opinion (or maybe experience) would be helpful as we need to cover the SCA topic somehow.

Thanks in advance

Manuel

This is the first I’ve heard of it, so no advice to share. I’m sorry!

That said, GitHub - dependency-check/dependency-check-sonar-plugin: Integrates Dependency-Check reports into SonarQube is one of the most popular plugins in the Sonar ecosystem, although it’s causing some issues in the latest SQ version (might be our fault)

1 Like

Hi Manuel,

Thank you, we were so focused on the CRA that we must have dropped the ball on DORA! Why did they use this acronym… makes thing complicated. In regards to Meterian. full disclosure as I am the CTO. We’ve been developing the plugin specifically for SonarQube (no cloud support yet) but we do have happy customers, so if you want to give it a try please ping me at bruno@meterian.io

I second John and Colin, the other option (dependency-check) works okay and it’s free to use. Our customers in general however were not happy with the overall user experience and asked us to create a specific integration, which we did.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.