CAST Highlight can perform a fine-grain comparison two snapshots of a scanned application and automatically identify which open-source software (OSS) components have been added, removed or upgraded. See in this article how the feature works and how it can help you better understand changes to the Open Source Safety scores over time.

Compare detected OSS components between application snapshots

Although high-level Open Source Safety score trends (Security, License and Obsolescence risks) give insights on how a development team is de-risking an application over time (e.g., upgrading components to reduce critical vulnerabilities and obsolescence), it is often necessary to get more detail on what has specifically changed between two scans, especially components and versions. Which risky components have been added to reduce the component security score? Which components have been effectively upgraded to a safer version? The SCA Component Comparison feature in CAST Highlight offers a fine-grained view on these changes.

At the application level, under the Software Composition tab, click on the “Compare Components” button to open the comparison view and select two application snapshots you want to compare. The top table displays high-level SCA metrics (Open Source Safety score, Component Security score, number of vulnerabilities, etc.) for each snapshot and their corresponding differences.

The second table lists and compares components between these snapshots:

  • Component name and version
  • Status of the component compared to the other snapshot
    • Added: this component was not detected in the compared snapshot
    • Removed: this component was removed compared to the other snapshot
    • Updated: this component was upgraded or downgraded compared to the other snapshot
  • Detected vulnerabilities

This component table can be filtered with different options:

  • Show all components regardless of their status
  • Show only components with a version change between the snapshots
  • Show only added components
  • Show only updated components (with a different version between the snapshots)
  • Show only removed components
  • Show only components having vulnerabilities

Additionally, clicking on a component displays the component timeline and clicking on vulnerabilities opens a detailed CVE description. Note that the CVE information in both snapshot columns is based on current known vulnerabilities.