# Open Source Libraries Scan (SCA)

{% embed url="<https://youtu.be/zcvgQsCkSs0>" %}

### Starting Scan

We can start an online scan by clicking on the **SCAN** button on top right

<figure><img src="https://lh6.googleusercontent.com/sF-IDM1q2a_FTcpYxw96oFPb4NET-L5ra-g_ZXRHfyAPQ9wY5Mt61evfSUuvCyr5716DR6_heUh0wgse7kNJLj4Y02-nqwiMRagwbtpxErEvXLjKujJikpvgMDFhTKytITYn6TiDFulljUL9p3tiGA01tikXmpfHiA9BkiUtfUD4umvXulqsEnVyPQ" alt=""><figcaption></figcaption></figure>

We choose Github for this example.

Once clicked get a repo to scan. For the demonstration purpose we take **Vulnado.**

<figure><img src="https://lh4.googleusercontent.com/4sSjKi0y9xjBnbJgzbSx_-zx_Kybl0sOHbEwHs0S2OssbR1EpE9HC-WwAsN3DnBn9sm7WOqQFziQTDwlFaCKi-_IxDC-T6--1tl1SSJwGrfXwMrMvqTdI9ZnjoMTUP9p2Wm0n-aTsfsu9HD_Rt5xliNx9lZ6AC1qVwiBfRhbzxRi3Zkl2UhyQjb2ZA" alt=""><figcaption></figcaption></figure>

We clone the repo and paste it like,

<figure><img src="https://lh6.googleusercontent.com/LyM0PZXOunevJ4_I5SJ2on5PH5_65L9-DpAQnGkNkM49yLLFhyTQVk-26Yt4R-6FKc38STvcISpE463zTHF1rxcQ4tBAQc03GPwXW9LgW1d0KDY2iprP6_da4KxYQs1k2YUJweHRIBC9GbUwEs-fd1_TAOANUxcDukEfvw-c4AfYVPsTF3mpFdSRyA" alt=""><figcaption></figcaption></figure>

Hit the green plus sign and scan

<figure><img src="https://lh6.googleusercontent.com/yMtUjPqFM2U7JnbuLsGaSs-rZiNl2rqrAmmizALSj083HceEBm4xmjpZyYnkaPdLEoE42Y2nRDfHzSTaXXlHp7xUNyjA6HbCmzaLsRA0dAEKnoLCHWDIKYDeRqH-2_fh6Prihov6KIRWSOdfR3lR-fUhCY27qp2b-7-TQNTfr5QUYgcxdzgqe7uo-Q" alt=""><figcaption></figcaption></figure>

Scan with start

<figure><img src="https://lh3.googleusercontent.com/2fpF5rif5jxsUCfCNZ8wiRIEgmUPpiwK4R2bMntDzbFMvVbsVYKLX5E1-yhWu0JSaeOmSaQ3iruQHAQh1Wvii7l_Ihkbma3OWzKnd_N1bUQuGeVQlElNndJBcf47wlWIGQ3Z4BlVCyKSltKauzxJUlPrC8DQzm6z_QQCdZDT4P2slTMeiObUGzTQFw" alt=""><figcaption></figcaption></figure>

Once online scans finishes we get the result like following

<figure><img src="https://lh6.googleusercontent.com/YpBd2CC37FNaab15MyHc1FpGLeTQf9aLSmufUSfX5vmVrIrmFELxGkNd3MoOcTpl11k3xzN5HkosYxgwQwt5eLt3vqPakIPfSdN8PKqFQS7M24ntxhOClPH-qpX2iwyfPfrvUgh3lOawLAebDv-OnHTuPjUTgnAwwq9W6TRsadIJf58WWTZJ02myLg" alt=""><figcaption></figcaption></figure>

Above picture shows that we scanned a project names “vulnado-test” which has our pom.xml (SCA JAVA) and other scans. Let’s dive into that.

Once you click on it you will be redirected to a page like following

<figure><img src="https://4095801085-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtErerJyslHxJo5moBxJo%2Fuploads%2F4hkVi7hN9WVdMsHb1qqp%2F111.png?alt=media&#x26;token=f6a49f69-8d17-444d-bfe7-ab855838f040" alt=""><figcaption></figcaption></figure>

Which will contain the following information about your SAST scan

```
  1) Project Scanned
```

Named of our current project. In this case vulnado-test

```
 2)  Scan Date
```

When scan was performed on which date and at what time

```
 3) User’s Email
```

Which user performed this scan, we show their email address

```
4) RuleId 
```

Which rule matched our sets of backend rules. We show that

```
5) Vulnerable Depedency 
```

Vulnerable dependencies with exact verion

```
6)Description of CVE 
```

More information about the vulnerability that dependency have

```
 7) Patch
```

How to fix that issue

```
  8) Filter Severity 

	      -  To filter your results based upon the criticality 
          
```

Once sca scan is done, we can patch the vulnerable dependencies directly from UI if Source Control (Github/ Gitlab/ Bitbucket) is configured and you know that repo.