CodeSentry

Search CodeSentry on Amazon.

CodeSentry is a binary software composition analysis tool developed by GrammaTech, first released^[1] on October 27, 2020, and is based on their previous binary code analysis research.^[2][3] This technology performs static analysis of binary executables, libraries and object files without the need for source code. An advantage of this binary analysis is the ability to analyze binary components when source code is not available, whether open source software^[4] or third-party and commercial software.

Binary Software Composition Analysis

CodeSentry uses multiple component matching algorithms for component detection across different Instruction Set Architectures (ISAs) and compilers. These algorithms compute and compare code signatures using properties ranging from lexical information such as the contents of strings or semantic abstractions of the high-level logic contained in functions.

Software Bill of Materials

The National Telecommunications and Information Administration (NTIA) defines a software bill of materials (SBOM)^[5] as “as a formal record containing the details and supply chain relationships of various components used in building software. These components, including libraries and modules, can be open source or proprietary, free or paid, and the data can be widely available or access-restricted.”

CodeSentry creates a software bill of materials (SBOM) and lists known vulnerabilities in the detected components including any dependencies. CodeSentry continuously tracks these vulnerabilities throughout the software lifecycle.^[6] The SBOM can be embedded along with each application making audit requests more reliable.

The NTIA has been tasked to define the minimum requirements of an SBOM^[7] which includes the following:

1. Author Name: The author of the SBOM, usually the organization supplying the software.
2. Supplier Name: The name of the software supplier and should include aliases. Supplier and author might be different if the supplier is making a claim on behalf of the author.
3. Component Name: The name of the software component and possible aliases.
4. Version String: The format of the version information is free form but should follow common industry usage.
5. Component Hash: The best way to identify a component is the use of a cryptographic hash that acts like a unique identifier. The specifics of these are usually defined by the interchange formats agreed upon by the industry.
6. Unique Identifier: A unique identifier is needed for each component.
7. Relationship: The relationship field defines the relationship between the component and the software package. In most cases, this relation is “includes” as in software package X includes component Y.

CodeSentry includes vulnerability information with each component in addition to the above list. These include:

1. Component Match: This is the degree of confidence from the matching algorithm used by CodeSentry. Since the SBOM is automatically generated from binary code, matching to known components does have some degree of error.
2. Security score: Based upon identified components and discovered vulnerabilities ranked by criticality, a security score is generated to highlight the risk of the software application.
3. Path: The file path of the component.
4. CVE Distribution: The distribution of discovered vulnerabilities by criticality (critical, high, medium and low.)

Security Vulnerability Report

CodeSentry creates a vulnerability report as part of the SBOM generation which identifies vulnerabilities in the components. These vulnerabilities are uniquely identified and include descriptive information:

1. Severity: The vulnerability severity from its CVE entry based upon CVSS scoring.
2. CVSS score: The common vulnerability scoring system value, between 0.0 and 10.0, which is used to prioritize vulnerabilities. The higher the score, the more likely the vulnerability is to be exploitable, have a large impact and inflict damage in a large area of the application or product. Critical vulnerabilities are in the 9.0-10.0 range.
3. CVSS version: The CVSS has been updated over time so the version is important when looking at vulnerabilities with the same score.
4. CVE ID: The unique identifier for a vulnerability’s entry in the national vulnerability database.
5. Description: The text description provided by the CVE entry.

Supported Binary Formats and Languages

Instruction Set Architectures: x86-32, amd64, ARM

Languages: C; C++; Objective-C

Object Format: ELF; PE; MacO

Compression / Archive / Installation Formats: Zip (.zip); 7-Zip (.7z); Tar (.tar); Bzip (.bz2); Gzip (.gz); Windows Installer (.msi)

Binary Formats: Native binaries; Linux: executables, objects, archives, libraries (.o, .so, .a); Windows: executable, objects, libraries (.exe, .obj, .dll); Mac: executables, objects, libraries

References

External links

• GrammaTech CodeSentry

This article "CodeSentry" is from Wikipedia. The list of its authors can be seen in its historical and/or the page Edithistory:CodeSentry. Articles copied from Draft Namespace on Wikipedia could be seen on the Draft Namespace of Wikipedia and not main one.