Binary Software Component Analysis When Source Code Not Available

CodeSentry is CodeSecure’s leading Binary Software Composition Analysis (BSCA) solution for gaining component inventory and insights into vulnerabilities and software risks.  Further CodeSentry generats SBOMs, supporting Vulnerability disclosures, and responding to Software Supply Chain Security (SSCS) risks.

Scan Post-Production Applications, Packages:Binary Analysis When Source Code Not Available

CodeSentry is a Binary BCA solution that identifies open-source components and shared dependencies in binaries, including firmware, containers, and mobile or desktop applications. The resulting component inventory is reported through an SBOM, which is also mapped to VulnDB, the industry’s most complete database of software vulnerabilities. Analysis when source code is not available.

Key Benefits

Why CodeSentry? This product is designed to reduce time-to-market, exploit vulnerabilities and provide an SBOM.

  • Reduce time-to-market
    Vendors, contractors, and partners provide compiled executables, not source code. Binary BCA analyzes compiled executables to identify open source components, then maps the components to our database of vulnerabilities.
  • Identify weak security practices
    CodeSentry prevents vulnerable components from entering their products by proactively producing an accurate SBOM of third-party binaries components when binaries are evaluated.
  • Provide accurate SBOMs to customers.
    CodeSentry’s Zero-Day Service can detect security issues associated with command and data injection, weak cryptography, race conditions, and many other common weaknesses.

Risk in the Software Supply Chain

Building secure software requires development teams to follow good security practices. But most software
today includes externally developed code, including open-source components and commercial binaries.
They are also being tasked with delivering an SBOM to their customers.

Software Bill of Materials (SBOM) without Source Code

CodeSentry is a Binary SCA solution that identifies open-source components and shared library
dependencies in binaries, including firmware, containers, and mobile or desktop applications. The resulting
component inventory is reported through an SBOM, which is also mapped to VulnDB, the industry’s most
complete database of software vulnerabilities. The resulting application intelligence and vulnerability
visibility mitigates risk, improves software security, and strengthens enterprise security postures by
defending your products against software supply chain attacks.

Component Inventory and License Information

Checking license information ensures compliance and reduces the risk that software is released and/or consumed with unlicensed components.

  • SBOM Generation, Annotation, and Output:
    CodeSentry scan binaries to auto-generate a detailed SBOM via an intuitive interface – easy for non-technical users. SBOM entries can be included or excluded with the annotation feature. Flexible SBOM output formats include PDF, HTML, CSV, SPDX, JSON, and CycloneDX, and Vulnerability
  • The Inventory and Vulnerability Search:
    CodeSentry search finds components and vulnerabilities across the inventory of scanned files and identifies vulnerable components, thereby saving time when vulnerabilities are declared and remediation actions are required. The inventory of scans can be filtered to show the latest updates to vulnerabilities, remediation, and exploit information to easily determine what actions should be take to mitigate security risks.
  • API-First Approach & Integration:
    An advanced GraphQL interface allows sophisticated integration with external systems including ticketing and vulnerability tracking systems.
  • Audit Logging:
    CodeSentry logs API activities, user logins and exports via UI and APIs to ensure proper usage and allow identification of potentially improper or malicious activity.
  • Deployment Flexibility:
    CodeSentry can be deployed on-premises. For organizations that wish to maintain lower overhead, it is also available as a single-tenant SaaS deployment.
  • Purchasing Flexibility:
    Now available in three options: CodeSentry SBOM Edition, Security Edition, and Advanced Security Edition.
  • Live N-Day Updates:
    CodeSentry continuously updates the database of known components and vulnerabilities, and updates existing scans with the latest vulnerabilities, remediation, and exploit information

The CodeSentry Difference

Binary SCAs unique capabilities are unavailable in Source-based SCA solutions.

  • No requirement for source code.
    Source code is rarely available for third-party components, and is not always available to security teams, even for in-house applications. Binary SCA can produce an accurate SBOM without access to source code.
  • Views code “as deployed”.
    Source SCA only sees components “as built”. CodeSentry analyzes the binary that executes. This allows it to identify any components or vulnerabilities introduced during compilation and packaging code for release. Source SCA also often lists components that are not in the final build image, generating false positives. CodeSentry can accurately tell whether a component is present in the final product or not.
  • 2nd, 3rd, and 4th party coverage.
    Direct vendors may use their own third parties for software development. CodeSentry solves this problem by analyzing the final binary “as deployed”. It identifies open source no matter where it entered the software supply chain.
  • Shift Left and Shift Right.
    Binary SCA allows organizations to identify vulnerable open source when they evaluate third-party code, well before they incorporate it into their products. The security of delivered software is enhanced by using Binary SCA as a final check to scan binaries before deployment or releasing them to customers.
  • N-day and Zero-day Vulnerability detection and security scoring.
    CodeSentry identifies reused components and continuously tracks any vulnerabilities throughout the software lifecycle, supported by daily updates. Detecting critical, N-day, and Zero-day vulnerabilities as well as misconfiguration of security features in compilers early and precisely is key to reducing the cybersecurity risk and impact.

VulnDB Vulnerability Database

Most approaches to SCA leverage NIST’s National Vulnerability Database (NVD) and augment those vulnerabilities with a small number of publicly disclosed vulnerabilities published by the opensource projects. By some estimates, NVD is missing over 90,000 publicly disclosed vulnerabilities and can delay publishing new vulnerabilities for almost 4 weeks – a time during
which attackers have free rein to exploit them.

CodeSentry leverages VulnDB to provide data on opensource security. VulnDB provides the most comprehensive and timely vulnerability intelligence available and provides actionable information about the latest security vulnerabilities. As of 2023, VulnDB contains over 330,000 vulnerabilities, with over 20,000 new vulnerabilities added this year.Yet only two-thirds of these are published in the NVD. This leaves thousands of organizations relying on NVD unable to defend against the risk posed by these
vulnerabilities. testing and lifecycle traceability provide visibility across artifacts for a complete view, from requirements to release.

Supported Broad File Format Coverage

Across Languages, Operating Systems, and Platforms.

With support for a wide range of endpoint software archive formats, including self-extracting installers and popular package managers, CodeSentry makes it easy to scan the applications your organization uses every day. In addition, various virtual machines, disks, embedded, firmware, and mobile images are supported.

System Specifications

Client: Any modern desktop web browser GraphQL API

Deployment: On-premises, FIPS Compatible SaaS (supports GovCloud)

Software Bill of Materials (SBOM) Output: CycloneDX, SPDX, JSON, CSV, PDF, HTML

Aris, Juniper, Kosmos:  SREC, bFLT, base64, Intel Hex, uBoot, wim

Compiled Languages

C/C++:  Executables, objects, libraries (.exe, .obj, .dll, .o, .so, .a, ) Linux Kernel / Kernel Module Other ELF file types

C#: .exe / .dll

Java: java class files, .jar

Go .exe / .dll / .o / .so /

Interpreted Languages

JavaScript:  Manifest, .npm, .js

Python: Manifest, .python, .py

CPU Architectures

CPU Intel, PowerPC, Sparc, Arm32/64, MIPS, AVR32

Desktop/Server Operations Systems

Windows, Linux, macOS: Libraries, Debian, executables, kernel modules, applications

Linux Package Manager: RPM, Debian


Container/ Files Systems

Docker :tar.gz, overlay2, aufs

File System:  ext2, ext3, ext4, iso, squashfs, cramfs, Android Sparse Disk Image, romfs, JFFS2, ubifs, yaffs2, vmdk

Embedded: VxWorks, QNX, Squashfs, Cramfs

Mobile Platforms

Android: apk, Dex, Odex, Android Sparse (disk image)

iOS: ipa

Archive Formats

Type Files: 7z, chm, lzip, rzip, lzma, tar, cpio, lzop, upx, Ar, gzip, xar, bzip2, zip, lrzip, rar, arj, xz, pkg, dmg, msi, msu, cab, rpm, deb, apk (alpine linux)


Aris, Juniper, Kosmos, Cisco: SREC, bFLT, base64, Intel Hex, uBoot, wim.


Customers about our services

soplar s.a.

„We would repeat our decision to choose Rhapsody® at any time. The strikingly improved efficiency, higher quality, and flexibility plus reusability of models make any adverse details negligible. Today we develop more machines with fewer resources in less time."

Reinhold Wüstner

Head of Product Development

Schindler Elevator Ltd.

„Seamless integration of the development environment is one of our critical success criteria. Model Driven Development with Rational Rhapsody®allows us to generate the code for the target platform direct from the UML model. Integrating the debugger saves us enormous amounts of time in developing complex, embedded real-time applications. Thanks to EVOCEAN's support, today we can use this tool efficiently."

Juan Carlos Abad

Project Manager

Bernina International AG

„The architecture must be set up in the right way and in conformity with the requirements of model driven development – right from the beginning! I strongly recommend to seek for the support of an external, experienced Rhapsody specialist as for example supplied by EVOCEAN and to model the architecture together.“

Giovanni Annunzio

System Architect

Phonak Communication AG

„Model Driven Development with Rational Rhapsody® was a critical success factor for developing inspiro within the required schedule and market needs. Thanks to EVOCEAN's support, we were able to implement the tool quickly and apply the methodology effectively."

Rainer Platz

Head of R&D

Commentaire sur nos formation – Rhapsody

Le formateur a été très bien préparé, a une excellente vue d'ensemble et une connaissance approfondie de l'outil et des processus et méthodes environnants (A-Spice).

Grand fournisseur automobile

Ingénieur systèmes

soplar s.a. – Training

„Starting to use Rational Rhapsody®without coaching or training is not recommended. Understanding the why behind certain processes is essential to working effectively. Training with EVOCEAN was very valuable for me in this regard."

Vitali Mozgovoi

Software Developer

Mettler Toledo AG

„Development in the embedded area should be platform independent and the used tools should support this!“

Wolfgang Boos

Head Software Development

Kern AG

„Even if the change to Rhapsody required at first additional investment and effort – we have never regretted our decision. The fully automatic code generation from the model makes our life easier!“

Andreas Dubach

Head of Development Systems

Perforce Helix Core Kunde welcher verkauft wurde an globalen Leader.

"Perforce Helix Core erfüllt unsere Erwartungen vollumfänglich. Wir haben eine Lösung aus einer Hand auf welche wir uns verlassen können."

Leiter Produktentwicklung

Schmidhauser AG

"A picture is worth a thousand words. Thanks to Rational Rhapsody® models, we can discuss new functionalities much better with our customers – even without knowledge of the code."

Peter Bode

Project Manager Mobile Drives