SOI stands for 'Sonatype OSS Index' and is a tool developed by Uleska to perform software composition analysis against a code repo to find vulnerable 3rd party libraries.
OSS Index works by taking your source code and running it through a tool called ORT (https://oss-review-toolkit.org/) to make an SBOM (https://owasp.org/www-community/Component_Analysis#Software_Bill-of-Materials_.28SBOM.29). The SOI tool then uses this SBOM to list the dependencies of the software and check each of them against the Sonatype OSS Index (https://ossindex.sonatype.org/) list of known issues.
|Security Stage||SCA (Software Composition Analysis)|
|Site||None - created by Uleska|
|1||You'll need a Git address to scan|
Using the SOI tool involves three steps:
One-time setup step to access the Sonatype Index
Now that you have an account and API token details, let's get the Uleska Platform to talk to it.
Add the SOI tool to your set of security tests. You will add this testing tool to a version (security stage) that is set up to run static code analysis tests.
Now any time you click 'Test Now' with this ToolKit, or make a request over the Uleska API or CLI with this ToolKit, the 'SOI' tool will be included in the test run and any results added to your vulnerabilities list.