Source and Binary SoftwareComposition Analysis

Insignary Clarity is a Software Composition Analysis (SCA) solution that provides organizations visibility to security and license risk in third-party software in their software supply chain and IT environments.

Clarity quickly produces a Software Bill of Materials (SBOM) from source code or compiled binaries, allowing development, security, and operations teams to manage risk in the software supply chain more effectively.

Is Third Party Code Introducing Risk to Your Products?

The modern development landscape has become increasingly reliant on open source and third party software. According to a recent Github report, 97% of applications leverage open source code, and 90% of companies are using open source software in some way. Teams leverage third party applications as part of their products or technology infrastructure without knowing what makes up those applications and what the risks of those components may be.

Most SCA tools scan source code to produce an SBOM, listing all open source used in a program mapped to a vulnerability and license database. This helps organizations ensure that their software is free from vulnerabilities and license obligations when they release it.

But what if you do not have access to source code?

Insignary Clarity –  No Source Code Required

Most SCA tools rely solely on build manifests and source code to produce an SBOM. Clarity is different. It works on source code and compiled binaries to produce a Software Bill of Materials – without reverse engineering techniques that would violate licenses.

With source code or binaries, Clarity takes a three-prong approach to Software Composition Analysis

National Security System (NSS) owners should
“Obtain SBOMs and associated vulnerability and code quality information (e.g., CVEs and CWEs) from analysis of software binaries.”

NSA “Recommendations for Software Bill of Materials Management”

1. Package Manager InspectionWhen a package manager or build file is available, Clarity parses the object to extract declared dependencies.

2. Hash MatchingClarity generates hashes for source or binaries and compare those to pre-compiled databases of components.

3. Patented Binary AnalysisClarity uses patented algorithms that extract “fingerprints” from the target binary code to match against our proprietary knowledge base of fingerprints from open source repositories.

Insignary Clarity Advantages

Scan almost anything, even without source codeIn addition to traditional source-based scanning, Clarity offers binary SCA scanning that produces an SBOM by examining compiled code, including applications, embedded firmware, IT infrastructure, and containers.

Continuous MonitoringBe notified of new vulnerabilities in your applications, firmware, devices, and IT infrastructure as they are disclosed – without the need to rescan.

Manage your Internal and External SBOMsProduce and distribute a comprehensive SBOM for source and binary, cataloging third party software components and licenses. Import SBOMs in custom and standardized formats including SPDX and CycloneDX to track risk across your entire application inventory.

Reachability AnalysisWhen vulnerability information is available, Clarity Binary SCA provides users information on whether the vulnerable code is present in the binary. In all cases, Clarity provides detailed information on all vulnerabilities in all versions to ensure developers make informed remediation decisions.

Integrates with multiple scanning toolsIntegrates seamlessly with other tools such as Snyk and FOSSID, and can provide comparative analysis between SBOMs generated by different tools or provided by 3rd parties.

Flexible deployment modelsSaaS, on-prem, and hybrid deployment models to meet the needs of your organization.