x

About Clarity

About Clarity

How Clarity Works

Most Software Composition Analysis (SCA) tools simply parse a package manager to generate a list of open source dependencies. While this is rapid, it may misidentify ambiguous version requests, miss components that are compiled directly into an application by developers, and cannot be used for programming languages that do not support package managers like C and C++.

 

Other, more sophisticated SCA solutions may use hash matching; generating hashes for source or binaries and comparing those to pre-compiled databases of common open source components. While this can identify some components missed by parsing the package manager, hash based matching may also be ineffective in some use cases. This is because an almost infinite number of compiled binaries that can be produced from a single source depending on the options used for the compilation process.

 

 

The Clarity Difference

In addition to using the package manager and hash matching, Insignary Clarity is unique in that it scans for “fingerprints” from the target binary code to examine and then compare against the fingerprints collected from open source components in numerous open source repositories.

Clarity uses symbol and string table comparisons (fingerprinting) to enable high fidelity scanning of binary code in firmware, without using any reverse engineering techniques that could violate license agreements.

Step 1

Insignary’s database of open source component fingerprints is continuously updated as new versions of components are released.

STEP 2

Clarity scans binaries to extract fingerprints such as strings, functions, or variable names from target binary file or firmware.

STEP 3

The fingerprints from target binary file or firmware are matched with fingerprints in the Insignary database.

STEP 4

Clarity generates a Software Bill of Materials (SBOM) and maps those components to a database of licenses and publicly disclosed vulnerabilities. When new vulnerabilities are disclosed in any components present in an SBOM, Clarity alerts users – without the need to rescan software.

 

 

Clarity Supports Your Processes

Clarity is available as a cloud-based or on-premise solution and can be used with its own dedicated Graphical User Interface or through the command line for automatic execution of scripts, build tools, or other security and compliance monitoring solutions.

Clarity reports in Modular JSON, CSV, HTML and Excel formats to deliver customizable information to support your existing processes.

Clarity also provides "fuzzy matching" of binary code, and supports LDAP, RESTful API, and automation servers like Jenkins. Due to its unrivaled accuracy and extensive OSS coverage, Clarity has come to light as the optimal tool for customers with varying OSS management requirements, ranging from embedded software scanning to large scale IT infrastructure scanning.

Want to know more?

Schedule a Demo