Skip to main content

Software binary analysis (SBA) features

DigiCert​​®​​ Software Trust Manager's threat detection services allow you to scan open-source components in your development workflow to help your team automatically track, manage, and remediate licensing issues and vulnerabilities before releasing your software.

SBA scans via threat detection services are a security tool used to analyze the compiled binary code of an application or system without executing it.

  • SBA is also known as a binary analysis or binary code analysis.

Currently, there are two types of service tiers, a free service (named Software Assurance Service) and a paid service (named Supply Chain Compromise Risk Assessment Service).

  • At a high level, if you run a scan under the free service, then that scan data will be purged after 7 days. Even if you upgrade your service within 7 days, scan data that ran under the free service will be purged after 7 days.

  • To retain scan data, you must upgrade your service, and then execute a scan.

Service tiers

Review the following table to understand the differences between SBA service tiers.

Note

The Supply Chain Compromise Risk Assessment Service tier contains all features from the Software Assurance Service tier, as well as additional features.

Table 1. SBA service tiers

Feature

Software Assurance Service

(free tier)

Supply Chain Compromise Risk Assessment Service

(paid tier)

CLI version compatibility

Limited to CLI versions above 1.52.0.

  • Older versions will throw an exception and require an upgrade.

Scans cannot exceed 5GB per month

Compatible with all CLI versions without requiring an upgrade.

Scan limits are license based

Scan report details

Lists all deployment risks, along with priority and description

Lists CVEs, along with severity and score

Other scan details are masked.

Lists all deployment risks, along with priority and description

  • To resolve deployment risks, detailed information regarding risks and impacted files is provided

Lists CVEs, along with severity and score

  • To resolve vulnerabilities, detailed information regarding vulnerabilities and impacted files is provided.

No data masking; full scan details are provided.

Report generation

Does not generate reports

Generates the following report types:

  • SBOM reports

  • SARIF reports

  • Full risk report for audit tracking

Health check

Displays enabled/disabled state for threat detection.

  • If threat detection is enabled, then Software Assurance Service will display.

Displays enabled/disabled state for threat detection.

  • If threat detection is enabled, then Supply Chain Compromise Risk Assessment Service will display.

CLI response

Displays pass, fail, or warning, as well as the number of violations for the following risk categories:

  • Licenses

  • Secrets

  • Vulnerabilities

  • Hardening

  • Tampering

  • Malware

Detailed output of malware, vulnerabilities, and suspicious behaviors if the --threat-summary flag is added.

  • A detailed output of these threats will only display if malware, vulnerabilities, and suspicious behaviors are detected.

Data retention

Data (reports and scan data) cannot be stored in the local system.

To enable this functionality, add following flags while scanning:

  • --keep-scan-data

  • --keep-reference

  • --store-dir

Data (reports and scan data) is stored in the local system.

Processing

May take up to 20 minutes to display

Available immediately

Purge policy

Scan data purged after 7 days

Scan data does not get purged


In this section: