This document introduces OpenSCA, an open source solution for managing open source risks. It discusses the need for such a solution and advantages over traditional commercial solutions. OpenSCA allows flexible and low-cost scanning of software to generate software bills of materials and identify vulnerabilities. It provides results in standard formats and intelligence to subscribers. The community has implemented OpenSCA in DevOps workflows for an internet company to integrate security and identify open source risks introduced in code. The document encourages joining the community to build solutions for more scenarios.

1. OpenSCA: Manage Open Source Risks by
an Open Source Solution
Qiuyue QI
Open Source Community Operation
Xmirror Security

2. Why do we need an open source solution
01
Our community & cases
03
OpenSCA
02
Build together
04

3. What for and Why bother?
Why do we need an open source solution
01

4. A
B
C
D
Manage the Security of the Whole Software Supply
Chain
Response ASAP when New Open Source
Vulnerabilities Breakout
Manage and Mitigate Known Risks According to
the List
Get the list of Open Source Components and
Vulnerabilities Introduced
The Purpose of Using SCA (Software Composition Analysis)

5. High Cost
• Relative high cost of procurement,
deployment and maintenance
• Applicable for larger companies or
projects rather than medium, small-
sized and emerging ones
• Relatively exclusive and limited in
certain scenarios
• Incompetent to cover upstream and
downstream of the supply chain
Exclusiveness
Disadvantages of Traditional Commercial Solution

6. More Flexible
Access to redevelopment in
terms of diverse scenarios
More Possibilities
Not limited in vendors’
perspective
Widely Shared
Open & available for each part
of the chain to use freely
Lower Cost
Visible & transparent
source code
Open Source
Solution
Advantages of the Open Source Solution

7. What is it? How can it help?
OpenSCA
02

8. About us
OpenSCA is an Open Source project that could
steadily and flexibly offer SCA ability and aware
users of all open source component assets and
risks introduced.
The community aims to constructing a low-cost,
compatible and extensible solution to open
source security in joint efforts.

9. Flexible
One command in CMD/CRT
to scan and get the result
Complete ability
Independent logic
executed in localhost
Online/offline applicable
Choose freely according
to the specific scenario
Easy to start
Freely integrated into
the process of R&D
Work Flow & Features

10. • Conduct detection in CMD
• Allow using local vulnerability database
• Allow using local maven component
database through configuration
• Multiple formats for managing and sharing
the results among team members
How to Use

11. Results
• Over view of the result is
printed in CMD
• Results in detail including
dependency structure and
vulnerability introduced can
be shown in JSON/HTML

12. Example of SBOM in SPDX & CycloneDX
Standard SBOM Supported

13. Intelligence provided for community subscribers through email & IM
Open Source Vulnerability Intelligence

14. What have we done?
Our community & cases
03

15. Our Community

16. Problem
OpenSCA
Solution
Result
DevOps flow’s requirement for effectiveness
demands a flexible and reliable Open Source
security management tool.
Redeveloped on the basis of OpenSCA,
integrating it into different phases in
DevOps and setting up a security
management process using its result as a
checking point.
Security Team Scenario
Security integrated into DevOps flow
The risk of vulnerabilities introduced by third-party OS
components has been greatly reduced, achieving the inventory
of internal component assets and vulnerability risks
16
Reveal OS risks introduced in code constantly
Clarify relevant OS components & vulnerabilities
Use Case: the SRC Department of an Internet Company

17. Join us for the shared future
Build together
04

18. • Provide solutions to international users
• Explorations to more applicable scenarios
• Work together for enhancing the security of the open source world
To the Open Source Future

19. T H A N K S
Watch us