Frequently asked questions (FAQ)
Browse our FAQ section for detailed answers to common questions about using OpenText Core SCA.
Last updated
Was this helpful?
Browse our FAQ section for detailed answers to common questions about using OpenText Core SCA.
Last updated
Was this helpful?
OpenText Core SCA is a Software as a Service (SaaS) solution currently.
OpenText Core SCA utilizes manifest-based scanning, which effectively identifies security issues across a wide range of file formats. While binary scanning is often considered superior due to its ability to produce fewer false positives, it can overlook critical security vulnerabilities, supply chain attacks, and . Additionally, binary scanning does not account for test and build dependencies, which can still present risks, unlike manifest-based scanning.
Manifest-based scanning identifies components listed in your dependency files, while binary scanning analyzes and fingerprints binary files. Binary scanning can be useful when source code or package managers for installing dependencies are unavailable. However, it does not include development and test dependencies, which can pose significant risks. Manifest-based scanning is more effective at identifying vulnerabilities and compliance issues, making it better suited for the developer workflow. For vendor code and C++/C scanning, OpenText Core SCA can if the vendor provides one.
Ultimately, the decision between manifest scanning and binary scanning depends on your workflow and objectives. At OpenText Core SCA, we emphasize and tools that enable developers to identify and resolve issues swiftly and accurately. This is why we concentrate on manifest scanning.
OpenText Core SCA service detects any open-source vulnerabilities in your repository, drawing information from various sources, including but not limited to the NVD Database, NPM, C# Announcements, FriendsOfPHP’s security advisories, the Go Vulnerability Database, the PyPA Python Advisory Database, GitHub Issues, GitHub Security Advisories, mailing lists, and more. These sources are updated every 15 minutes to ensure that we identify as many vulnerabilities as possible.
If you think OpenText Core SCA has identified an incorrect dependency, you can .
Increased computation is when the number of available workers is increased to allow scanning more number of files simultaneously. This greatly enhances the scan speed for enterprise customers.
When root fixes cause issues in the code, you should manually update the dependencies. There is always a risk of breaking changes when updating these dependencies, and the extent of that risk varies with each update. While the risk is not inherently greater with root fixes than with indirect fixes, OpenText Core SCA ensures that dependency tree is not compromised by introducing a version of a dependency incompatible with its upstream dependencies.
You must wait one hour before you can request a second password reset.
You can export licenses, including both licenses and dependencies, in an Excel format, which allows you to create a pie chart. Alternatively, use the API for assistance.
When a developer commits code, the code is scanned irrespective of the size of the committed changes
There are several ways to run OpenText Core SCA service.
Manually upload your dependency files.
Integrate Debricked service into your test pipelines through Platforms such as GirHub or GitLab.
Debricked examines averages and reviews the list of committers on a monthly basis. As many businesses have a certain number of "non-developer" committers for a limited time, the customers are expected to determine the actual number of contributing developers and incorporate the information into the contract.
Debricked implements the following measures to prevent and detect vulnerabilities:
Use own service to find known vulnerabilities in dependencies
Conduct third-party penetration tests
Continuously run own penetration tests internally
Customer data is stored using Google Cloud Platform (GCP) as the service provider, located in Netherlands.
, which is an Enterprise feature, enables granting and enforcing access to functionalities and integrated repositories by assigning predefined roles to users.