Product(s): Semgrep Supply Chain
Overall Comment:"Semgrep Supply Chain combines traditional software composition analysis with first-in-class reachability analysis, enabling software engineers to identify and resolve critical vulnerabilities rapidly without having to waste time understanding whether the vulnerability is relevant to their software application. Much like its other Semgrep products, Supply Chain benefits from low-click easy integration with popular source code management systems and CI pipelines. This enables rapid scaling of scan coverage across an organisation. Reachability analysis is really where Semgrep Supply Chain sets itself apart from others. Where supported, Supply Chain will identify if your application is importing and making use of a vulnerable function from a third-party component, which differs from traditional software composition analysis solutions that just provide a list of vulnerabilities per third-party component. This means that engineering teams can focus on resolving vulnerabilities that directly impact their application without wasting time to review each and every vulnerability. Semgrep Supply Chain goes beyond vulnerable packages and enables organisations to understand license risk and identify malicious software components (beta at time of writing). "
Game-changing reachibility analysis Low-click integration with source code management and CI systems Dedicated functionality to manage license risk and malicious software packages
Semgrep Supply Chain relies on support package managers in order to parse third-party components it cannot parse software bills of materials and some common package managers are missing.