What is SOI?
SOI stands for 'Sonatype OSS Index' and is a tool developed by Uleska to perform software composition analysis against a code repo to find vulnerable 3rd party libraries.
OSS Index works by taking your source code and running it through a tool called ORT (https://oss-review-toolkit.org/) to make an SBOM (https://owasp.org/www-community/Component_Analysis#Software_Bill-of-Materials_.28SBOM.29). The SOI tool then uses this SBOM to list the dependencies of the software and check each of them against the Sonatype OSS Index (https://ossindex.sonatype.org/) list of known issues.
|Security Stage||SCA (Software Composition Analysis)|
|Site||None - created by Uleska|
|1||You'll need a Git address to scan|
How do I set it up?
Using the SOI tool involves three steps:
One-time setup step to access the Sonatype Index
One-time configuration of a connection in Uleska for your Sonatype Index account
Now that you have an account and API token details, let's get the Uleska Platform to talk to it.
Adding the tool to your toolkit
Add the SOI tool to your set of security tests. You will add this testing tool to a version (security stage) that is set up to run static code analysis tests.
Now any time you click 'Test Now' for that application stage of testing, or make a request over the Uleska API or CLI for that stage, the 'SOI' tool will be included in the test run and any results added to your vulnerabilities list.