GrammaTech’s leading binary Software Composition Technology (SCA) solution, CodeSentry, provides valuable insights to open-source software (OSS) components within your software without requiring access to source code. There are countless use cases where binary analysis fills critical gaps in your vulnerability intelligence. Whether these binaries exist in 3rdparty components consumed during the source coding phase of development, in the post-build and production release binaries, or in legacy applications, CodeSentry will regressively decompose these binaries down to their fundamental components, generate an inventory and provide known vulnerabilities associated with these components, and export this data to support a variety of users and systems.
This unique capability meets the needs of both the Producers of software through software assurance, as well as the consumers of third-party software addressing software supply chain security risks- and generates Software Bills of Materials (SBOMs) in both use cases.
Watch our CodeSentry 4.2 Overview Video:
Key new features introduced with the release of CodeSentry version 4.2:
Offers distinct capability bundles for Inventory, Vulnerabilities, and Security Intelligence, providing purchasing options that scale with maturing needs.
- SBOM Edition: Supports SBOM generation, component inventory and search capabilities, component licensing info. Test it out- Register for your FREE SBOM!
- Security Edition: includes SBOM Edition, and adds N-Day vulnerability detection and security attribute reporting
- Advanced Security Edition: includes Security Edition, and expands vulnerability detection with 0-Day capabilities
Download the Editions Datasheet
NOTE: Existing customer instances will be migrated to the product edition which matches their licensed capabilities
Provides a 'single pane of glass' overview of activities, including binary artifact scanned or scanning, and the results across the CodeSentry instance.
- Provides visibility into instance-wide component, vulnerability, and scan activity. Details include:
- Organization Security Rating: provides average score of all vulnerabilities detected in the system
- Dynamic data: provides view into applications created, # scans submitted in last 24 hours, and # files analyzed total/last 24 hours
- Components: provides an assessment of overall safety, with visibility into components findings and insight into the commonality of components in system
- N-Day Findings: summarizes Findings by Severity and Findings- To Fix and To Defend that have Remediation available, listed by criticality
- License Risk: - includes CopyLeft (vs CopyRight) which flags things to investigate
- Heat Map (top right- most risky): provides a quick visual representation of Confidence (or Match) level mapped against the Severity of the vulnerability (e.g., Definite= 2nd highest match level)
- Activity Monitor: provides status on Active scans that are unpacking, Queued scans, and 5 most recent scans
- Job Stats: provides status of active Jobs in various states (e.g., new, unpacking, etc.)
Supports the capability of searching across your software inventory for specific scans or components, some of which may be vulnerable. The software and component inventories, including vulnerable open-source packages, are generated from Binary code without requiring access to Source code.
- Speeds response to incidents with ability to Search for vulnerable and exploitable components, by component and/or version) within a scan or across scans to mitigate supply chain risks, e.g., Log4j
- Includes direct links to specific Scan results to quickly access information pertaining to what vulnerabilities are associated with specific components, and additional links to the corresponding SBOMs for additional information
Enriched Vulnerability Information
Supports a leading vulnerability database, with daily updates (or automatically on SaaS instances).
- Adds over 2,300 new vulnerabilities and 3,800 new components
Supports the publication and export of a Software Bill of Materials, available in a variety of industry formats including PDF, CSV, SPDX, JSON, CycloneDX, as well as VEX.
- Adds CPE (common platform enumeration dictionary) field added, which provides a standard machine-readable format for encoding names of IT products and platforms
- Helps organizations evaluate compliance with federal IT security requirements and practices
Supports the ability to export insights into specific software and component vulnerabilities within an industry standard VEX (Vulnerability Exploitability Exchange) format, a form of security advisory, downloadable from the UI directly or via API.
- Provides data portability to SBOM repositories and management frameworks, used in conjunction with CycloneDX SBOMs
- Indicates if a product is affected by a known vulnerability, with status indicated as Not Affected, Affected, Fixed, or Under Investigation
License Control of Scan Count
Aids in tracking the number of scans per instance, and the remaining count- used for both planning and management purposes.
- Displays the number of scans remaining for the instance
- Helps users plan capacity and licensing to meet release cycle demands
More detailed information can be found in the release notes located here: https://support.grammatech.com/hc/en-us/articles/4419882536209-Release-Notes