LogoLogo
WebsitePricingBlog
  • Debricked Documentation
  • Overview
    • Getting started
      • Create a OpenText Core SCA account
      • Running OpenText Core SCA
    • Help
      • Frequently asked questions (FAQ)
      • Upgrade your account
      • Get help in OpenText Core SCA tool
    • Language support
      • C# - Nuget, Paket
      • CycloneDX SBOM
      • Go - Go Modules, Go Dep, Bazel
      • Java & Kotlin - Gradle, Maven, Bazel
      • JavaScript - NPM, Yarn, Bower
      • Objective-C - CocoaPods
      • PHP - Composer
      • Python - Pip, Pipenv
      • Ruby - RubyGems
      • Rust - Cargo
      • Swift - CocoaPods
      • Linux package managers
      • Scala - SBT
    • Security overview
  • Product
    • Vulnerability management
      • Security terms
      • Data sources
      • See your data
      • Pull Requests (PR)
        • Enable Pull Request support
        • Solve vulnerabilities using Pull Requests (PR)
        • Solve vulnerabilities using Pull Requests (PR) via API
      • Set a review status
        • Snooze or pause a review status
      • Reachability Analysis
        • Set up Reachability Analysis for Java
        • Set up Reachability Analysis for Go
      • Solve vulnerabilities manually with root fixes
    • License risk management
      • Licence families
      • License risks
      • Set up a use case
        • Set up a use case using API
      • Proxy non-standard license identifiers
    • Project health
      • Contributors
      • Popularity
      • Security
    • Open source select
      • Search projects
      • Compare projects
      • View more details
      • Start left policies
      • OpenText Core SCA Select Browser Extension
      • End of Life (EOL)
    • Automation
      • Create an automation rule
      • Edit an automation rule
      • Default automation rules
      • Set up webhooks
      • Policies
      • Monitoring
    • Exporting or SBOM
      • Overview
      • License export
      • Vulnerability export
      • SBOM export
        • CycloneDX SBOM export
        • SPDX SBOM export
    • Administration
      • Generate access token
      • Account
        • Change your password
        • Delete your account
        • Delete company account
      • Billing
        • Manage contributing developers
        • Manage billing frequency
        • Manage payment methods
        • Access invoices
        • Manage your subscription
      • Settings
        • Enable and disable snoozing vulnerabilities
        • Supported language for Debricked tool
        • View logged events
        • Two-Factor Authentication (2FA)
      • Users
        • User roles (freemium and premium)
        • Role-Based Access Control (Enterprise)
        • Manage users
          • Add a new user
      • Repositories
        • Default Branch
        • Repository groups
        • Manually upload a dependency file
        • Manage your commits
  • Tools & Integrations
    • Command Line Interface (CLI)
      • Debricked CLI
        • High performance scans
        • File fingerprinting
      • Legacy CLI
    • CI/CD integrations
      • GitHub
      • CircleCI
      • BuildKite
      • GitLab
      • Bitbucket
      • Azure DevOps
      • Argo workflows
      • Travis CI
      • Jenkins
      • Bamboo
      • TeamCity
    • Fortify on Demand (FoD)
    • Fortify Software Security Center (SSC)
    • Debricked APIs
      • Open source select API
    • Integrated Development Environments (IDEs)
    • Single Sign-On (SSO)
      • Single Sign-On (SSO) through Okta
      • Single Sign-On (SSO) through Microsoft Entra ID
      • Single Sign-On (SSO) through JumpCloud OIDC
      • Single Sign-On (SSO) through GitHub
  • Tips & Tricks
    • Debricked CLI migration guide
    • Workarounds
      • Scanning Conan (C++) projects
      • Scanning a repository with different services
      • Scanning Docker images
      • Automations: Do not fail on found CVE lacking a fix
Powered by GitBook
LogoLogo

Company

  • Pricing
  • Blog

Support

  • Privacy Policy
  • Terms & Conditions
  • Service Status

Resources

  • Vulnerability DB
  • Open Source Select

© 2018-2024 | Open Text

On this page
  • Is OpenText Core SCA’s service on prem or SaaS?
  • What type of scanning does OpenText Core SCA do?
  • How accurate is the service in finding a vulnerability?
  • OpenText Core SCA has found a wrong dependency. What should I do?
  • What is meant by “increased computation” for enterprise customers?
  • To what extent can root fixes break the code?
  • How long do I need to wait to before requesting a second password reset?
  • Is there a way to restrict what repositories certain users can see?
  • Is it possible to extract a pie chart or other visualization of the identified licenses and dependencies?
  • What do we classify as a “scan”?
  • Does OpenText Core SCA run on a PC, or does it upload data to your servers?
  • How do you distinguish between frequent and sporadic contributors?
  • What measures does Debricked implement to prevent and detect vulnerabilities?
  • Where is Debricked’s data stored?

Was this helpful?

Export as PDF
  1. Overview
  2. Help

Frequently asked questions (FAQ)

Browse our FAQ section for detailed answers to common questions about using OpenText Core SCA.

Last updated 7 days ago

Was this helpful?

Is OpenText Core SCA’s service on prem or SaaS?

OpenText Core SCA is a Software as a Service (SaaS) solution currently.

What type of scanning does OpenText Core SCA do?

OpenText Core SCA utilizes manifest-based scanning, which effectively identifies security issues across a wide range of file formats. While binary scanning is often considered superior due to its ability to produce fewer false positives, it can overlook critical security vulnerabilities, supply chain attacks, and . Additionally, binary scanning does not account for test and build dependencies, which can still present risks, unlike manifest-based scanning.

Manifest-based scanning identifies components listed in your dependency files, while binary scanning analyzes and fingerprints binary files. Binary scanning can be useful when source code or package managers for installing dependencies are unavailable. However, it does not include development and test dependencies, which can pose significant risks. Manifest-based scanning is more effective at identifying vulnerabilities and compliance issues, making it better suited for the developer workflow. For vendor code and C++/C scanning, OpenText Core SCA can if the vendor provides one.

Ultimately, the decision between manifest scanning and binary scanning depends on your workflow and objectives. At OpenText Core SCA, we emphasize and tools that enable developers to identify and resolve issues swiftly and accurately. This is why we concentrate on manifest scanning.

How accurate is the service in finding a vulnerability?

OpenText Core SCA service detects any open-source vulnerabilities in your repository, drawing information from various sources, including but not limited to the NVD Database, NPM, C# Announcements, FriendsOfPHP’s security advisories, the Go Vulnerability Database, the PyPA Python Advisory Database, GitHub Issues, GitHub Security Advisories, mailing lists, and more. These sources are updated every 15 minutes to ensure that we identify as many vulnerabilities as possible.

OpenText Core SCA has found a wrong dependency. What should I do?

If you think OpenText Core SCA has identified an incorrect dependency, you can .

What is meant by “increased computation” for enterprise customers?

Increased computation is when the number of available workers is increased to allow scanning more number of files simultaneously. This greatly enhances the scan speed for enterprise customers.

To what extent can root fixes break the code?

When root fixes cause issues in the code, you should manually update the dependencies. There is always a risk of breaking changes when updating these dependencies, and the extent of that risk varies with each update. While the risk is not inherently greater with root fixes than with indirect fixes, OpenText Core SCA ensures that dependency tree is not compromised by introducing a version of a dependency incompatible with its upstream dependencies.

How long do I need to wait to before requesting a second password reset?

You must wait one hour before you can request a second password reset.

Is there a way to restrict what repositories certain users can see?

Is it possible to extract a pie chart or other visualization of the identified licenses and dependencies?

You can export licenses, including both licenses and dependencies, in an Excel format, which allows you to create a pie chart. Alternatively, use the API for assistance.

What do we classify as a “scan”?

When a developer commits code, the code is scanned irrespective of the size of the committed changes

Does OpenText Core SCA run on a PC, or does it upload data to your servers?

There are several ways to run OpenText Core SCA service.

  • Manually upload your dependency files.

  • Integrate Debricked service into your test pipelines through Platforms such as GirHub or GitLab.

How do you distinguish between frequent and sporadic contributors?

Debricked examines averages and reviews the list of committers on a monthly basis. As many businesses have a certain number of "non-developer" committers for a limited time, the customers are expected to determine the actual number of contributing developers and incorporate the information into the contract.

What measures does Debricked implement to prevent and detect vulnerabilities?

Debricked implements the following measures to prevent and detect vulnerabilities:

  • Use own service to find known vulnerabilities in dependencies

  • Conduct third-party penetration tests

  • Continuously run own penetration tests internally

Where is Debricked’s data stored?

Customer data is stored using Google Cloud Platform (GCP) as the service provider, located in Netherlands.

, which is an Enterprise feature, enables granting and enforcing access to functionalities and integrated repositories by assigning predefined roles to users.

Role Based Access Control
licensing problems
scan an SBOM
automation
manage and override your dependency matches using our CLI