Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/hysnsec/awesome-sca

A curated list of Software Component Analysis (SCA) books, courses - free and paid, videos, tools, and tutorials.
https://github.com/hysnsec/awesome-sca

List: awesome-sca

component-analysis practical-devsecops sca snyk software-composition-analysis vulnerability-databases

Last synced: 3 months ago
JSON representation

A curated list of Software Component Analysis (SCA) books, courses - free and paid, videos, tools, and tutorials.

Host: GitHub
URL: https://github.com/hysnsec/awesome-sca
Owner: hysnsec
License: cc0-1.0
Created: 2021-05-29T18:39:31.000Z (over 3 years ago)
Default Branch: main
Last Pushed: 2022-09-14T06:15:17.000Z (about 2 years ago)
Last Synced: 2024-05-20T10:04:08.274Z (6 months ago)
Topics: component-analysis, practical-devsecops, sca, snyk, software-composition-analysis, vulnerability-databases
Homepage: https://practical-devsecops.com/
Size: 246 KB
Stars: 89
Watchers: 9
Forks: 28
Open Issues: 1
Metadata Files:
- Readme: README.md
- Contributing: Contributing.md
- License: LICENSE

Awesome Lists containing this project

ultimate-awesome - awesome-sca - A curated list of Software Component Analysis (SCA) books, courses - free and paid, videos, tools, and tutorials. (Other Lists / PowerShell Lists)

README

        # Awesome Software Component Analysis(SCA)

![Awesome SCA Image](images/awesome-sca.png)

A curated list of Software Component Analysis (SCA) books, courses - free and paid, videos, tools and tutorials. SCA is a technique to find third party vulnerable components used in your  code.

Contributions welcome. Add links through pull requests or create an issue to start a discussion.

# Table of Contents

- [Books](#books)

- [Articles](#articles)

- [Courses](#courses)

- [Free Tools](#free-tools)

- [Commercial Tools](#commercial-tools)

- [Vulnerability Databases](##vulnerability-databases)

- [References](#References)

- [Credits](#credits)

- [Contributing](#contributing)

## Books

* [Securing Open Source Libraries](https://www.safaribooksonline.com/library/view/securing-open-source/9781491996980/) By Guy Podjarny

## Articles

* [Component Analysis from OWASP](https://owasp.org/www-community/Component_Analysis)

* [Guide to Software Composition Analysis (SCA) by Snyk](https://snyk.io/blog/what-is-software-composition-analysis-sca-and-does-my-company-need-it/)

## Courses and Training

*Courses/videos on SCA.*

### Free

- [Software Composition Analysis Deep Dive by Ulisses Albuquerque](https://www.youtube.com/watch?v=F2FfaSX_55A)

### Paid

- [DevSecOps Professional by Practical DevSecOps](https://www.practical-devsecops.com/certified-devsecops-professional/)

- [SANS 540 - Cloud Security and DevSecOps Automation](https://www.sans.org/cyber-security-courses/cloud-security-devsecops-automation/)

## Free Tools

### Javascript

Client Side Libraries:

* [Retire.js](https://github.com/RetireJS/retire.js)

Backend Libraries:

* [NPM Audit](https://docs.npmjs.com/cli/v7/commands/npm-audit)

* [AuditJS](https://github.com/sonatype-nexus-community/auditjs)

### Ruby

* [bundler-audit](https://github.com/rubysec/bundler-audit)

* [Chelsea](https://github.com/sonatype-nexus-community/chelsea)

### Java

* [Dependancy-Check](https://github.com/jeremylong/DependencyCheck)

### Python

* [Safety from Pyup](https://github.com/pyupio/safety)

### PHP

* [Local PHP Security Checker](https://github.com/fabpot/local-php-security-checker)

### Golang

* [Nancy](https://github.com/sonatype-nexus-community/nancy)

### .Net

* [dotnet CLI](https://devblogs.microsoft.com/nuget/how-to-scan-nuget-packages-for-security-vulnerabilities/#dotnet-cli)

* [Dependancy-Check](https://github.com/jeremylong/DependencyCheck)

* [WhiteSource Bolt](https://www.whitesourcesoftware.com/free-developer-tools/bolt/) (Free offering that currently works within Azure DevOps or GitHub)

## Commercial Tools

Most commercial SCA tools support multiple programming languages like Java, Python, Ruby, Go, PHP,.NET,Scala and license scans.

* [Snyk](https://snyk.io/)

* [SourceClear](https://www.sourceclear.com/)

* [Sonatype](https://www.sonatype.com/)

* [BlackDuck](https://www.blackducksoftware.com/solutions/application-security)

* [Contrast Security](https://www.contrastsecurity.com/interactive-application-security-testing-iast)

* [WhiteSource](https://www.whitesourcesoftware.com/whitesource-languages/)

* [Whitehat SCA](https://www.whitehatsec.com/products/static-application-security-testing/software-composition-analysis/)

* [Debricked](https://debricked.com/)

## SCA Vulnerability Databases

* [National Vulnerability Database](https://nvd.nist.gov/)

* [Snyk Vulnerabilitydb](https://github.com/snyk/vulnerabilitydb)

* [VulnDB Data Mirror](https://github.com/stevespringett/vulndb-data-mirror)

* [NIST Data Mirror](https://github.com/stevespringett/nist-data-mirror)

* [Exploit Database](https://www.exploit-db.com/webapps/)

## Credits

* This repo is based on the original work done by our friend [@raghunath24](https://github.com/raghunath24)

## Sponsor

![Practical DevSecOps](images/practical-devsecops-logo.png)

## Contributing

Please refer the guidelines at [contributing.md for details](Contributing.md).