sca
Safeguard articles tagged "sca" — guides, analysis, and best practices for software supply chain and application security.
345 articles
The MIT License, Meaning in Plain English
The MIT license meaning, stripped of legalese: do almost anything you want with the code, keep the copyright notice, and the author owes you nothing if it breaks.
The Moq Vulnerability: What Happened and What to Do
The Moq incident wasn't a classic CVE — it was a popular .NET mocking library quietly bundling a data-collection dependency in a routine version bump, and it's a case study in why supply-chain monitoring has to watch behavior, not just version numbers.
CVE-2020-15250: The JUnit Temp File Vulnerability
CVE-2020-15250 shows how a test-only utility class in JUnit 4 created world-readable temp files on Unix systems, and why it still shows up in scans of projects that never touched production code paths.
SCA vs SAST vs DAST: Which Do You Actually Need First
Three scanner acronyms, one budget. A spec-level comparison of SCA, SAST, and DAST — what each catches, what each costs to run, and the order that pays off fastest.
Safeguard SCA: Vulnerability Scanning Built for the Supply Chain
Safeguard SCA goes beyond basic CVE matching with multi-source intelligence, version-range precision, and exploitability context that cuts through vulnerability noise.
CVE-2021-29425: The Commons IO Path Traversal Bug
CVE-2021-29425 shows how a single unhandled case in Apache Commons IO's path normalization let attackers slip past directory checks that assumed a canonicalized path was actually safe.
Open Source Licenses Explained: A Practical Primer
Open source licenses explained for engineers who need to make a compliance call today, not read a legal treatise — permissive, copyleft, and what actually changes your obligations.
CVE-2019-8331: The Bootstrap XSS Vulnerability, Explained
CVE-2019-8331 let attackers inject script through Bootstrap's tooltip and popover template options, a pattern that recurred across several Bootstrap CVEs before 4.3.1 finally closed it.
.NET Supply Chain Audit Patterns
Auditing a .NET supply chain is a different exercise than auditing a JavaScript one, and the patterns that actually find problems are specific to how the ecosystem works.
CVE-2017-18214: Why an Old CVE Still Shows Up in Scans
CVE-2017-18214 is a ReDoS bug in Moment.js patched back in 2017, yet it keeps surfacing in scans years later because bundled copies and stale lockfiles never got the memo.
Open Source License Types: A Quick Guide for Engineers
Open source license types split into permissive and copyleft, and knowing which one a dependency uses can matter as much as knowing whether it has a CVE.
Enterprise SCA Tool Evaluation Framework
Choosing a software composition analysis tool for the enterprise? Here's a structured evaluation framework covering what actually matters.