Cryptographic Identification and Verification

in addition to traditional manifest based package identification, soos also supports package identification through the use of cryptographic identification and verification this techniques leverages soos's database of pre computed file hashes to identify and verify open source components how to enable in your scans by default sca scans only look for the manifest files listed under supported languages and files docid 9tpi fweiez819mb4y2 j , however there are three file match options available to use when running sca scans these are controlled using the filematchtype argument (for example filematchtype=manifest ) manifest the default option, which only locates manifest files filehash only run file hashing on the supported file extensions and do not try to locate manifest files typically use this for instances where manifest files are not available or for languages or instances where no package manager is used manifestandfilehash locate manifest files and run file hashing use this option for languages such as java where soos supports both manifest and file hashing the located file hashes will be used to verify the existence of packages identified in the manifest file(s) cryptographic identification this option is used for languages such as c family scanning (c, c++, & objective c) docid\ s5buqbtr 429vfebriwm if no c based package manager is used the results in the dependency tree will show that the package was identified using a cryptographic identifier and not by a manifest c++ cryptographic identifier cryptographic verification cryptographic verification can be used for languages such as java where soos supports both manifest and file hashing, allowing you to verify the existence of packages listed in the manifest with the files located on disk the results in the dependency tree will show that the package was identified using a cryptographic identifier and also in the manifest (or perhaps only identified in the manifest, or only identified in the file system) in the example below joda time was only identified in the pom xml manifest and was not located on disk package located in a manifest and not on disk in the example below log4j was identified in the pom xml manifest and was also verified on disk package located on disk and in a manifest in the example below org elasticsearch was only identified on disk and was not located in the pom xml file package located on disk and not in a manifest