Blog

Private Package Support in Checkmarx SCA

4 min.

April 27, 2023

Private packages are crucial in modern software development as they enable organizations to manage proprietary code and sensitive components securely. However, these packages also pose unique challenges when it comes to security, compliance, and risk management. With the increasing use of open source software, it is becoming challenging for organizations to track dependencies and potential vulnerabilities associated with their private packages.

Checkmarx SCA addresses this challenge by identifying and scanning private packages, allowing organizations to gain better visibility into dependencies and potential risks. This helps organizations ensure that private packages are being used securely while reducing the risk of security breaches and other issues. Whether you are a business owner, developer, or security professional, understanding the value and potential risks of private packages is critical for maintaining a secure and effective software development process.

Understanding Packages in Software Development

In software development, a package refers to a collection of related code files and resources that are organized together in a standardized way. A package typically contains reusable code that can be imported and used by other parts of the application. The use of packages helps to modularize software code, making it easier to maintain, update, and reuse. Packages can contain various types of files such as modules, classes, functions, and data files.

Differences With Private Packages

Private packages refer to packages that contain proprietary code or components that are not intended to be made public. These packages are typically developed and managed by an organization internally and not available for download from a public repository. Private packages may contain sensitive information, such as proprietary algorithms or business logic, and need to be managed and protected appropriately to prevent unauthorized access or misuse.

Private packages are commonly used in enterprise software development, where organizations need to share code and libraries among multiple projects and teams, but want to maintain control over the distribution and access to that code. By using private packages, organizations can ensure that their proprietary code and intellectual property are protected, and that their software is compliant with licensing and security requirements.

While public packages are typically hosted on public package repositories like npm or Maven Central, private packages are often stored in private package repositories or internal registries used to store proprietary or sensitive code not intended for public distribution. Private packages can be created in many different programming languages, such as JavaScript, Python, Java, and Ruby, and are often managed using package managers specific to each language.

Uncovering the Hidden Risks

Most software composition analysis (SCA) solutions are designed to identify and remediate vulnerabilities in open source libraries. However, they often fall short when it comes to analyzing private packages. Why is that?

SCA tools typically use a variety of techniques to identify which open source libraries are used in a software project. One of the most common techniques is to examine the dependencies listed in the project’s package or build configuration files (such as package.json in Node.js projects or pom.xml in Java projects). SCA solutions can also scan the source code and binaries of a project to detect and identify open source libraries.

However, this approach does not work well for private packages. Private packages are not publicly available and cannot be detected by scanning public package repositories or by examining the source code or binaries of a project. This can leave organizations with a false sense of security, assuming that their private packages are secure when, in fact, they may contain hidden vulnerabilities.

Private packages are typically hosted in artifact repositories or internal registries (for example, Nexus or JFrog Artifactory), which require authentication to access. SCA solutions would need to be configured with the appropriate credentials to access these private repositories and identify the libraries being used in private packages. In addition, some private packages may not be registered in any package repository or may be stored locally on developers’ machines, making them even more difficult to detect. 

Therefore, it is important for organizations to have a clear understanding of all the open source libraries and private packages being used in their software projects and to ensure that SCA solutions are configured to detect and analyze all dependencies, including those in private repositories and local file systems.

Checkmarx SCA With Private Package Support

Checkmarx SCA’s new support for private packages enables organizations to gain deeper insights into dependencies and potential risks. This feature allows Checkmarx SCA to scan and analyze private packages and identify vulnerabilities that may exist within them, providing organizations with a comprehensive view of their software stack. With this feature, organizations can proactively address potential risks associated with their private packages. It is easy to use and can be seamlessly integrated into an organization’s existing software development process.

The new capabilities offer a private packages catalog, which quickly summarizes the overall protection of your private packages and lists packages that are considered high risk, and also packages that are outdated. When examining a specific private package, developers can see how many projects are leveraging the package, and which versions are being used across each project. This makes it easy for teams to enforce policies and ensure that the correct versions of packages is being used across applications.  The feature also offers an API that can return the package name, the package manager name, the total number of versions of the package that are in use, and the number of instances of an outdated version of the package that is being used. 

Learn more

To learn more about private packages in Checkmarx SCA, please contact your account team.


Read More

Want to learn more? Here are some additional pieces for you to read.