When software development teams consume or produce binaries, they need to be mindful of the same risks and responsibilities they do with source code files.
This often includes maintaining an inventory of the open source dependencies that comprise the binary file. It can also mean understanding and fixing vulnerabilities and complying with open source licensing requirements. And, in some instances, it can mean generating and maintaining an updated SBOM (software bill of materials) in a format like SPDX and CycloneDX.
However, due to their inherent fuzzy nature of fingerprinting and snippet techniques used to identify libraries, binaries are generally very difficult to decompose, inventory, analyze, and secure.
That's why, as part of our ongoing mission to help customers understand and manage risks throughout their software supply chains, we’re thrilled to announce the launch of FOSSA Binary Composition Analysis (BCA).
There are three core elements to FOSSA BCA:
- Binary decomposition and analysis: Produce an inventory of detected libraries (plus their associated licenses and vulnerabilities) in binary files.
- Binary risk management: Take action to prioritize and remediate vulnerabilities and ensure distributed binaries include only approved open source licenses.
- Binary regulatory and compliance reporting: Produce SBOMs and license attribution notices that reflect the contents of binary files.
The release of FOSSA BCA — added to our platform's existing open source management and regulatory reporting capabilities — gives our customers the most accurate and actionable understanding of what's in their production software. You can now manage SBOMs, security, and license compliance across source code, containers, and multiple types of binary files.
How FOSSA BCA Works
FOSSA BCA supports a wide range of binary file types, including firmware, archive files, installers, executables, containers, and more.
When you upload a binary file to FOSSA, we will produce a list of detected dependencies, plus the justification detailing filepaths and fingerprints) for each match.
In addition to a component inventory, FOSSA will produce a list of security and licensing issues for each binary we analyze.
The specifics of an issue list are determined by the policies you set within the FOSSA application. For example, if you build a license compliance policy where all copyleft licenses are denied, we will report GPL-licensed components on your Licensing Issues Page. Or, if you build a security policy to surface all vulnerabilities over a given CVSS score, those vulnerabilities will be added to your Security Issues Page.
From there, you'll be able to prioritize vulnerabilities (using FOSSA's wide range of filters — EPSS scores, CVSS scores, dependency depths, remediation efficiency, and more) — and work with the right internal or external teams to fix them. You’ll also be able to address license compliance issues (before they turn into lawsuits) and generate SBOMs.
How to Use FOSSA BCA
Although BCA is a new FOSSA product — powered by a new technical partnership with CodeSecure — our users will find minimal differences between it and our SCA workflows or UI. (However, please note that a new FOSSA BCA subscription is required to use this product.)
Lets walk through using FOSSA BCA in our web app; you can also leverage our API for automated or CI integrations.
Step 1: Log into your FOSSA account and select the “Decompose Binary” option.
Step 2: Click the “Add File” button on the “Archive Upload” screen to bring your binary into FOSSA; you can upload a single file or multiple files at once.
Step 3: Once the binary file has been uploaded, you'll be directed to the project screen. There, you'll see the results of FOSSA's analysis, including a list of detected dependencies, vulnerabilities, and licenses — plus any issues.
Step 4: Act on results. At this point, you'll be ready to generate an SBOM or license attribution notice and work with your developers (or software suppliers) to address security or license compliance issues.
Why FOSSA BCA
We recognize that FOSSA isn't the only binary analysis solution on the market; and, of course, different organizations will have different BCA use cases (and may prefer different tools).
However, FOSSA BCA is purpose-built to suit several critically important use cases and serve several important purposes — we encourage teams and organizations that are prioritizing these capabilities to consider trialing our solution.
- Actionable Results and Real Risk Management
FOSSA BCA does more than just decompose binary files. Since BCA is tightly integrated with the rest of the FOSSA platform, customers will benefit from our full suite of security and compliance tools.
For example:
License compliance: Enforce license policies so an issue/alert will be created if FOSSA detects a licensed component in your binary that's on your “deny” or “flag” list (e.g. AGPL or GPL). Plus, generate attribution notices for your binary files.
Vulnerability management: Prioritize vulnerabilities discovered in binaries with FOSSA's extensive set of remediation tools. Filter by CVSS score, EPSS score, inclusion on the CISA KEV List, dependency depth, and/or business context. Plus, use our new Remediation Guidance feature to integrate fix efficiency metrics (e.g. which patches/upgrades will address the most high-severity CVEs) into your prioritization plan.
SBOM management: Generate SPDX or CycloneDX SBOMs that reflect your binary's components — or, bundle multiple binaries together in a single, application- or product-level SBOM using FOSSA release groups. Simply and securely share SBOMs with customers and regulatory bodies using FOSSA's private SBOM Portal.
- Superior Supplier and Supply Chain Risk Management
FOSSA has long featured one of the industry's best SBOM ingestion and analysis tools. Now, we're adding top-tier binary analysis as well. These new BCA capabilities coupled with existing SBOM ingestion features form a powerful combination for manufacturers looking to understand and mitigate risk in the software they acquire. This includes the ability to verify and enhance supplier SBOMs by comparing them to binary scanning results.
- Complete Coverage
Many BCA tooling providers don't offer a comprehensive SCA product. And, on the flip side, many leading SCA providers don't have binary scanning. Organizations looking to consolidate software supply chain management tools may prefer FOSSA's platform, which now has mature offerings for both BCA and SCA, including SBOM management.
- Supports Consumption and Production Use Cases
Teams and organizations can use FOSSA BCA to decompose, analyze, and evaluate risk in binaries to either:
- Validate binaries that will ultimately be used for internal or testing purposes — before bringing them into the company's environment.
- Validate binaries from software suppliers that will eventually be packaged directly in production software.
On the production side, teams and organizations can use FOSSA BCA to confirm that production-ready software meets standards for regulatory compliance, security, and software licensing.
- Flexible Deployment Options
FOSSA is one of a small number of BCA tools that can be deployed on-premises. We also offer a private cloud option. (Additionally, we can work with organizations that require an air-gapped deployment.)
Getting Started with FOSSA BCA
Like we mentioned, FOSSA BCA is currently only available with a paid FOSSA BCA subscription.
Current FOSSA SCA subscribers can reach out to their customer success contacts for BCA pricing information and/or to try the new product.
Current FOSSA free tier users — and organizations without FOSSA accounts — can visit our BCA page for more information and to request a demo from our team.
Anyone can also feel free to email our team: hello@fossa.com with questions about FOSSA BCA.