Qualys - Software Composition Analysis (SwCA) Overview

Qualys Software Composition Analysis (SwCA) provides real-time visibility into the open-source software (OSS) and commercial libraries embedded within your applications. Qualys SwCA leverages the Qualys Cloud Agent to scan Windows and Linux assets for programming language-based packages and detects vulnerabilities like Log4j or OpenSSL. The Qualys Cloud Agent goes beyond the limitations of traditional package managers (like yum or apt) and can detect libraries manually dropped onto a system or nested within other packages. Qualys SwCA provides administrators with a comprehensive view to monitor and remediate supply chain risks.

The output of Qualys SwCA can be viewed in both the Qualys Cloud Agent module for a single host or within the Qualys Global Asset View across all hosts. Samples of the Qualys SwCA can be seen in the screenshots below.

From Qualys Cloud Agent -> Software Component tab:

From Qualys Global Asset View:

FAQ

• What operating system is this supported on?
  • This is currently supported for Windows and Linux Cloud Agents
• What languages are supported?
  • At the time of writing, Qualys SwCA supports Rust, Python, Go, Java, DotNet, NodeJS, C++, Ruby, and PHP. The full list of supported languages can be found at https://docs.qualys.com/en/ca/swca-user-guide/supported_languages/supported_languages.htm#_Supported_Languages
• How can I filter for/out vulnerability detection from Qualys SwCA?
  • The query below will allow you to filter for only Qualys SwCA vulnerability findings and appending a "not" will remove all Qualys SwCA vulnerability findings.
    vulnerabilities.vulnerability.category:`SCA` 
• My Qualys console does not show any software components. What should I do?
  • Contact the Office of Cybersecurity at cybersecurity@cio.wics.edu and a Qualys tools administrator will review your Qualys Cloud Agent configurations.