- Semgrep Supply Chain
- Team & Enterprise Tier
Conceptual overview of Semgrep Supply Chain
Detect recently discovered security vulnerabilities in your codebase's open-source dependencies using Semgrep Supply Chain. Leverage Semgrep's code-scanning capabilities to run high-signal rules that determine a vulnerability's reachability. Semgrep Supply Chain evaluates dependencies based on their version and use in your codebase.
Figure 1. Semgrep Supply Chain Vulnerabilities page.
Semgrep Supply Chain parses lock files for a list of dependencies, then scans your codebase using rules written with Semgrep's pattern syntax. Supply Chain rules specify the following:
- The range of versions that contain the dependency's vulnerability.
- A pattern for vulnerable code, such as passing in unsanitized data.
- The severity of the vulnerability.
Semgrep Supply Chain generates a finding when it detects a match. If the dependency's version is within the range and finds the matching code within your codebase, the finding is reachable.
A finding is unreachable if the dependency contains a known vulnerability, but the vulnerable matching code is not used in your codebase.
A finding is undetermined if Semgrep detects a match for the dependency in the vulnerable version range, but does not have a reachability rule for this vulnerability. This is most common with older or lower severity vulnerabilities.
Undetermined findings are generated by Semgrep Supply Chain lockfile-only rules, which are rules that do not perform reachability analysis. These findings are generated by checking the dependency's version in its lock or manifest file against versions with known vulnerabilities. These rules are on par with GitHub Dependabot.
In Semgrep Cloud Platform, specific findings of a dependency and code match are called usages. Usages are grouped by their vulnerability. Vulnerabilities in Semgrep Supply Chain typically have a CVE number corresponding to the record in the CVE Program.
Semgrep Cloud Platform also includes a list of Advisories for reference. Advisories include all vulnerabilities covered by Semgrep Supply Chain, regardless of whether the related dependency is used in scanned code.
- Semgrep ingests CVEs and security advisories from sources such as GitHub Security Advisory to ensure effective rule coverage.
- Semgrep, Inc. processes new CVEs and security advisories at least daily to perform the following:
- Generation of new rules for new security advisories.
- Updating of rules based on changes to prior security advisories.
The following diagram displays the relationship between a Supply Chain rule, the lockfile, and the codebase being scanned:
Figure 2. Relationship between a Supply Chain rule, lockfile, CVE record, and codebase.
Semgrep and Semgrep Supply Chain
The following table displays differences between Semgrep and Semgrep Supply Chain.
| Feature | Semgrep | Semgrep Supply Chain |
|---|---|---|
| Type of tool | Static application security testing (SAST) | Software composition analysis (SCA) |
| Scan target | First-party code (your codebase or repository) | Open source dependencies |
| Triage workflow | Findings can be categorized as:
| Findings can be categorized as:
|
| Remediation workflow | Code refactoring | Upgrading or removing the dependency, code refactoring |
| Notification channels | Slack, Email, Webhooks | Slack |
Language support
Refer to Supported languages to see all languages supported by Semgrep Supply Chain.
Transitive dependencies and reachability analysis
See SSC glossary > Transitivity for a definition of a transitive dependency.
- Semgrep Supply Chain does not perform reachability analysis for transitive dependencies. This means we do not scan the source code of your dependencies to determine if their dependencies may produce a reachable finding in the code.
- Semgrep Supply Chain supports scanning for transitive or indirect dependencies for all of its supported languages. Findings are collected and displayed in Semgrep Cloud Platform > Supply Chain.
- In most cases, Semgrep Supply Chain generates reachable findings for direct dependencies. However, there are certain dependencies that are vulnerable simply through their inclusion in a codebase. Semgrep Supply Chain generates reachable findings for these types of dependencies even if they are transitive dependencies.
In some package ecosystems, it's possible to use a transitive dependency in your code as if it were a direct dependency. This is very uncommon, but Semgrep does scan for these usages with reachability rules if they are available, and will mark transitive dependencies as "unreachable" if they are not directly used.
Next steps: Scanning your codebase
To scan your codebase, follow the instructions in Scanning open source dependencies.
Additional references
- Software supply chain security is hard
- The best free, open-source supply-chain security tool? The lockfile
Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.