Sherlocked Security – Software Composition Analysis (SCA)

Evaluate the Security and License Compliance of Open-Source Components

---

1. Statement of Work (SOW)

Service Name: Software Composition Analysis (SCA)
Client Type: Enterprises, SaaS Providers, Open-Source Projects, Startups
Service Model: Automated Open-Source Vulnerability Scanning – Static + Dependency Analysis
Compliance Coverage: OWASP Dependency-Check, CVE, NVD, SPDX, OSI licenses

Assessment Types:

• Open-Source Dependency Scanning
• License Compliance Checking
• Vulnerability Identification & Severity Assessment
• Dependency Tree Visualization
• Outdated Library Detection
• Security Risk Assessment

---

2. Our Approach

[Dependency Identification] → [Automated Dependency Scanning] → [Vulnerability Mapping] → [License Compliance Check] → [Risk Prioritization] → [Remediation Guidance] → [Revalidation]

---

3. Methodology

[Dependency Mapping] → [Automated Static Analysis] → [Vulnerability Identification via CVEs] → [License Analysis & Filtering] → [Risk Level Categorization] → [Fix Recommendation] → [Reporting]

---

4. Deliverables to the Client

1. Software Composition Analysis Report
2. Vulnerability Summary (CVE Mapped)
3. License Compliance Report
4. Dependency Tree Visualizations
5. Outdated Library Report
6. Risk Assessment Report
7. Remediation Recommendations with Fix Examples
8. Revalidation Report Post-Fix
9. Optional: CI/CD Integration Guidelines

---

5. What We Need from You (Client Requirements)

• List of primary application repositories (e.g., GitHub, GitLab, Bitbucket)
• Access to build and deployment pipelines for dependency data
• Information on custom in-house libraries or frameworks used
• NDA and scope sign-off prior to engagement

---

6. Tools & Technology Stack

• OWASP Dependency-Check
• Snyk
• Black Duck
• WhiteSource
• Sonatype Nexus Lifecycle
• GitHub / GitLab / Bitbucket API integrations
• License Compliance Tools (SPDX, FOSSA)
• Dependency Graphing Tools (GraphQL, Dependency-Track)

---

7. Engagement Lifecycle

1. Kickoff & Scope Definition → 2. Repository & Dependency Access Setup → 3. Automated & Static Analysis Phase (1-2 weeks typical) → 4. Report Draft → 5. Remediation Advisory → 6. Revalidation Scan → 7. Final Report + Certificate

---

8. Why Sherlocked Security?

Feature	Sherlocked Advantage
Automated Dependency Scanning	Detects both known and new vulnerabilities from open-source libraries
License Compliance Coverage	Ensures adherence to open-source license obligations
CVE and NVD Integration	Regular updates with critical vulnerability information
Custom Library Detection	Identifies and tracks in-house or custom-built components
Security Risk Prioritization	Focuses on high-risk vulnerabilities that impact your app’s security posture
Continuous Monitoring	Integration with CI/CD pipelines for ongoing updates and scanning

---

9. Real-World Case Studies

E-Commerce Platform: Critical Vulnerability in Open-Source Dependency

Issue: A known CVE in a widely used payment gateway library was found during scanning.
Impact: Potential data leakage and service disruption.
Our Role: Identified outdated library and recommended immediate update.
Outcome: Vulnerability patched, and risk level significantly reduced.

SaaS Provider: License Compliance Violations

Client: Cloud-based Document Management Platform
Findings: Open-source components used in the codebase were licensed under incompatible terms.
Outcome: Provided a list of affected components and advised on legal ramifications. The client updated their license agreements.

---

10. SOP – Standard Operating Procedure

1. Scope Definition & Repository Access
2. Dependency Mapping & Library Identification
3. Automated Static Vulnerability Scan
4. License Compliance Checking
5. Risk Categorization & Prioritization
6. Fix Recommendations & Patch Analysis
7. Remediation Support & Developer Consultation
8. Revalidation Scan & Final Closure

---

11. SCA Testing Checklist

1. Dependency Identification & Mapping

• Identify all direct and transitive dependencies
• Ensure the latest versions of libraries are being used
• Visualize the entire dependency tree for traceability
• Identify components with known vulnerabilities from CVE/NVD
• Check for deprecated or unsupported libraries

---

2. Vulnerability Scanning & Risk Assessment

• Use CVE databases to map vulnerabilities to dependencies
• Calculate risk scores based on severity (Critical, High, Medium, Low)
• Check for patch availability and exploitability of identified vulnerabilities
• Evaluate frequency and recency of vulnerability reports for each dependency

---

3. License Compliance Checking

• Identify license types for each dependency (e.g., MIT, GPL, Apache, etc.)
• Check for potential license conflicts or violations (e.g., GPL to proprietary)
• Report on open-source license obligations and restrictions
• Ensure compliance with OSI and SPDX licenses

---

4. Outdated Library Detection

• Detect older versions of libraries with known vulnerabilities
• Verify whether newer versions have fixed vulnerabilities
• Recommend safe upgrade paths or replacement options for unsupported libraries

---

5. Continuous Monitoring & Revalidation

• Set up automated continuous scanning for new dependencies or updates
• Integrate with CI/CD pipelines to run SCA on every commit or build
• Validate remediation actions after updates or fixes to dependencies

---

6. Reporting & Remediation

• Provide detailed vulnerability reports with CVE IDs, severity, and impacted components
• Offer remediation recommendations with patch or update guidance
• Prioritize vulnerabilities based on exploitability and business impact
• Provide developer walkthroughs to explain dependencies and remediation steps