Skip to main content

Static binary analysis (SBA) features

Treat detection features allow you to scan open-source components in your development workflow. This feature helps your team automatically track, manage, and remediate licensing issues and vulnerabilities before releasing your software.

SBA scans via threat detection services are a security tool used to analyze the compiled binary code of an application or system without running it.

  • SBA is also known as a binary analysis or binary code analysis.

Currently, there are two types of service tiers, a free service (Software Assurance Service) and a paid service (Supply Chain Compromise Risk Assessment Service).

  • At a high level, if you run a scan under the free service, the scan data will be purged after seven days. Even if you upgrade your service within seven days, scan data that ran under the free service will be purged after seven days.

  • To retain scan data, you must upgrade your service, and then execute a scan.

Service tiers

Review the following table to understand the differences between SBA service tiers.

참고

The Supply Chain Compromise Risk Assessment Service tier contains all features from the Software Assurance Service tier and extra features.

1. SBA service tiers

Feature

Software Assurance Service

(free tier)

Supply Chain Compromise Risk Assessment Service

(paid tier)

CLI version compatibility

Limited to CLI versions above 1.52.0.

  • Older versions throw an exception and require an upgrade.

Scans can't exceed 5GB per month

Compatible with all CLI versions without requiring an upgrade.

Scan limits are license-based

Scan report details

Lists all deployment risks, along with priority and description

Lists CVEs, along with severity and score

Other scan details are masked.

Lists all deployment risks, along with priority and description

  • To resolve deployment risks, detailed information regarding risks and impacted files is provided

Lists CVEs, along with severity and score

  • To resolve vulnerabilities, detailed information regarding vulnerabilities and impacted files is provided.

No data masking. Full scan details are provided.

Report generation

Doesn't generate reports

Generates the following report types:

  • SBOM reports

  • SARIF reports

  • Full risk report for audit tracking

Health check

Displays enabled/disabled state for threat detection.

  • If threat detection is enabled, then Software Assurance Service displays.

Displays enabled/disabled state for threat detection.

  • If threat detection is enabled, then Supply Chain Compromise Risk Assessment Service displays.

CLI response

Displays pass, fail, or warning, and the number of violations for the following risk categories:

  • Licenses

  • Secrets

  • Vulnerabilities

  • Hardening

  • Tampering

  • Malware

Detailed output of malware, vulnerabilities, and suspicious behaviors if the --threat-summary flag is added.

  • A detailed output of these threats only displays if malware, vulnerabilities, and suspicious behaviors are detected.

Data retention

Data (reports and scan data) can't be stored in the local system.

To enable this functionality, add following flags while scanning:

  • --keep-scan-data

  • --keep-reference

  • --store-dir

Data (reports and scan data) is stored in the local system.

Processing

May take up to 20 minutes to display

Available immediately

Purge policy

Scan data purged after 7 days

Scan data doesn't get purged


이 섹션의 내용: