CxOSA allows you to manage, control and prevent the security risks and legal implications introduced by open source components used as part of the development effort. CxOSA supports all the most common programming languages, enabling you to secure all their open source components in addition to the in-house developed code analysis coverage. For more information about code coverage, refer to Supported Code Languages in the CxOSA Release Notes.
Creating a project is currently dependent on CxSAST and is achieved as part of the CxSAST project creation. You can add CxOSA to any CxSAST project performing a scan. For more information about this subject, refer to Creating and Configuring Projects.
To configure a CxOSA project:
Click Projects & Scans > Projects. The Projects View is displayed.
The Projects View lists all the projects that are configured for the groups where the logged-on user is a member.
Select an existing project from the Projects list, or click Create New Project and define the new project configuration as you would if you were creating and configuring a project for CxSAST. For more information about this subject, see Creating and Configuring Projects.
Click the OSA tab. The CxOSA properties are displayed.
The OSA tab provides the option to define the location of the open source libraries for scanning as well as resolve dependencies by initiating the install command for NPM and Nuget before performing OSA scan.
In order to use this functionality, you should install the pre-requisite installations specific to the dependencies you would like to resolve. For more information about this subject, refer to Preparing the Environment for CxOSA.
Click Edit and configure the following CxOSA properties:
Local - open source libraries that are maintained locally. Once defined, navigate to the Consolidated Project State screen in order to access the local directory, select a compressed file (.zip) containing the project’s open source libraries and run a CxOSA scan. For more information about this subject, refer to Consolidated Project State for CxOSAand Initiating a CxOSA Scan.
Shared - open source code libraries that are maintained on a network server accessible from the CxSAST Server. Click Select, provide your Windows domain credentials in order for CxSAST to access the network (username format: domain_name\user name), and select one or more network folders containing the project open source libraries.
There is currently no limitation to the open source library file size for CxOSA scans.
Resolve dependencies - select the checkbox to resolve dependencies by initiating the install command for NPM and Nuget before performing OSA scan.
For new projects, OSA will, by default, identify scanned libraries using their relevant package managers
Click Update to save the changes.
Performing scans from the CxServer, and based on your environment and language, additional package managers should also be installed, see Supported Languages and Package Managers for more information.