Why do I need Software Composition Analysis (SCA) specialized for Embedded Systems?

Software Composition Analysis (SCA) is an essential function for understanding the components in your software and monitoring vulnerability disclosures to identify security issues.

SCA tools generate a Software Bill of Materials (SBOM) showing which software components are present in a particular product.

But common SCA tools have serious blind spots when it comes to embedded Linux and other open source, third-party software used in building embedded systems. These blind spots make security maintenance much harder and more complex.

• Binary scanners
  • No metadata in binaries about patching or configurations, so fixed or irrelevant vulnerabilities are still reported as active.
  • Sometimes a component or version cannot be determined based on a binary signature, so the SBOM is inaccurate.
• Source scanners
  • Cannot identify which packages are actually installed in a given product so they report all packages as installed.
  • Cannot collect build artifacts such as patches and kernel configurations so they result in highly inaccurate vulnerability reports.

Build-system based SCA fixes blind spots

In response to the need for better SBOMs for embedded system products, we have created the industry’s first SCA solution that is optimized for embedded systems, the Timesys Vigiles® Vulnerability Management Suite.

Vigiles addresses the SCA blind spots because it is integrated with your Yocto, Buildroot or Timesys Factory build system:

• Extracts SBOM from build system to capture metadata
  • Configurations enabled (e.g., drivers enabled in Linux kernel)
  • List of vulnerabilities already addressed in applied patches
  • Hardware platform information
• Filters vulnerabilities based on more accurate SBOM
  • Reporting “unfixed” vulnerabilities applicable to “your hardware platform” based on “enabled configurations”
  • Can cut reported vulnerabilities by up to 75% — huge reduction in level of effort