SCA Support Matrix

CodeThreat uses Trivy and Syft for Software Composition Analysis, scanning dependencies across all major programming ecosystems for known vulnerabilities.

​

Package Ecosystems Supported

​

JavaScript/TypeScript

Scans for:

• Known CVEs in npm packages
• Vulnerable transitive dependencies
• Outdated packages with security updates
• License compliance (MIT, Apache, GPL, etc.)

​

Python

Scans for:

• PyPI package vulnerabilities
• Dependency confusion attacks
• Outdated packages (Django, Flask, etc.)
• License issues

​

Java/Kotlin/Scala

Scans for:

• JAR file vulnerabilities
• Critical issues (Log4Shell, Spring4Shell)
• Transitive dependency CVEs
• Maven Central vulnerabilities

​

.NET/C#

Scans for:

• NuGet package vulnerabilities
• .NET Framework/Core vulnerabilities
• Dependency version conflicts

​

Go

Scans for:

• Go module CVEs
• Standard library vulnerabilities
• Indirect dependency issues

​

Ruby

Scans for:

• RubyGems vulnerabilities
• Rails framework CVEs
• Gem dependency issues

​

PHP

Scans for:

• Packagist vulnerabilities
• WordPress/Drupal plugin CVEs
• Laravel/Symfony framework issues

​

Rust

Scans for:

• Crates.io vulnerabilities
• RustSec advisories
• Dependency audit findings

​

iOS/macOS

Scans for:

• Pod vulnerabilities
• Swift package CVEs
• Framework security issues

​

Additional Ecosystems

​

Operating System Packages

Trivy scans OS-level packages in container images and VMs:

​

Linux Distributions

​

Container Base Image Scanning

Detects vulnerabilities in:

• FROM alpine:3.18
• FROM ubuntu:22.04
• FROM node:18
• FROM python:3.11
• FROM nginx:latest
• Any Docker base image

Also scans:

• Distroless images
• Scratch-based images (if packages are installed)
• Multi-stage build layers

​

SBOM (Software Bill of Materials)

Generated by Syft, analyzed by Trivy: SBOM Formats Supported:

• CycloneDX (JSON, XML) - Industry standard
• SPDX (JSON, YAML) - Linux Foundation standard
• Syft JSON - Detailed format
• GitHub Dependency - For GitHub integration

What’s Included in SBOM:

• All direct dependencies
• All transitive dependencies
• Package versions
• Licenses
• Package URLs (PURL)
• File locations

Use Cases:

• Supply chain security compliance
• Vendor questionnaires
• Regulatory requirements (SBOM mandates)
• Vulnerability tracking over time

​

Vulnerability Databases Queried

Trivy queries multiple sources for comprehensive CVE coverage: Language-Specific:

• npm (Node Security Working Group)
• PyPI (Python Advisory Database)
• RubyGems (Ruby Advisory Database)
• Maven Central (Sonatype OSS Index)
• Go Vulnerability Database
• Rust Security Advisory Database
• PHP Security Advisories

General:

• National Vulnerability Database (NVD)
• GitHub Security Advisories (GHSA)
• GitLab Advisory Database
• OSV (Open Source Vulnerabilities)

OS-Specific:

• Debian Security Tracker
• Ubuntu Security Notices
• Red Hat Security Data
• Alpine SecDB
• Amazon Linux Security Center

Update Frequency: Daily updates ensure you catch CVEs within 24 hours of disclosure

​

False Positive Handling

Trivy is highly accurate for SCA because it matches exact package versions against known CVEs. False positives are rare. When they occur:

• CVE doesn’t affect the specific code path you use
• Vulnerability is in optional feature you don’t enable
• Mitigation exists at infrastructure level

CodeThreat AI can analyze SCA findings for:

• Actual exploitability in your code
• Whether vulnerable code path is reachable
• Mitigation controls present

​

What’s Next?