Binary Software Component Analysis When Source Code Not Available

CodeSentry is CodeSecure’s leading Binary Software Composition Analysis (BSCA) solution for gaining component inventory and insights into vulnerabilities and software risks.  Further CodeSentry generats SBOMs, supporting Vulnerability disclosures, and responding to Software Supply Chain Security (SSCS) risks.

Scan Post-Production Applications, Packages:Binary Analysis When Source Code Not Available

CodeSentry is a Binary BCA solution that identifies open-source components and shared dependencies in binaries, including firmware, containers, and mobile or desktop applications. The resulting component inventory is reported through an SBOM, which is also mapped to VulnDB, the industry’s most complete database of software vulnerabilities. Analysis when source code is not available.

Key Benefits

Why CodeSentry? This product is designed to reduce time-to-market, exploit vulnerabilities and provide an SBOM.

  • Reduce time-to-market
    Vendors, contractors, and partners provide compiled executables, not source code. Binary BCA analyzes compiled executables to identify open source components, then maps the components to our database of vulnerabilities.
  • Identify weak security practices
    CodeSentry prevents vulnerable components from entering their products by proactively producing an accurate SBOM of third-party binaries components when binaries are evaluated.
  • Provide accurate SBOMs to customers.
    CodeSentry’s Zero-Day Service can detect security issues associated with command and data injection, weak cryptography, race conditions, and many other common weaknesses.

Risk in the Software Supply Chain

Building secure software requires development teams to follow good security practices. But most software
today includes externally developed code, including open-source components and commercial binaries.
They are also being tasked with delivering an SBOM to their customers.

Software Bill of Materials (SBOM) without Source Code

CodeSentry is a Binary SCA solution that identifies open-source components and shared library
dependencies in binaries, including firmware, containers, and mobile or desktop applications. The resulting
component inventory is reported through an SBOM, which is also mapped to VulnDB, the industry’s most
complete database of software vulnerabilities. The resulting application intelligence and vulnerability
visibility mitigates risk, improves software security, and strengthens enterprise security postures by
defending your products against software supply chain attacks.

Component Inventory and License Information

Checking license information ensures compliance and reduces the risk that software is released and/or consumed with unlicensed components.

  • SBOM Generation, Annotation, and Output:
    CodeSentry scan binaries to auto-generate a detailed SBOM via an intuitive interface – easy for non-technical users. SBOM entries can be included or excluded with the annotation feature. Flexible SBOM output formats include PDF, HTML, CSV, SPDX, JSON, and CycloneDX, and Vulnerability
  • The Inventory and Vulnerability Search:
    CodeSentry search finds components and vulnerabilities across the inventory of scanned files and identifies vulnerable components, thereby saving time when vulnerabilities are declared and remediation actions are required. The inventory of scans can be filtered to show the latest updates to vulnerabilities, remediation, and exploit information to easily determine what actions should be take to mitigate security risks.
  • API-First Approach & Integration:
    An advanced GraphQL interface allows sophisticated integration with external systems including ticketing and vulnerability tracking systems.
  • Audit Logging:
    CodeSentry logs API activities, user logins and exports via UI and APIs to ensure proper usage and allow identification of potentially improper or malicious activity.
  • Deployment Flexibility:
    CodeSentry can be deployed on-premises. For organizations that wish to maintain lower overhead, it is also available as a single-tenant SaaS deployment.
  • Purchasing Flexibility:
    Now available in three options: CodeSentry SBOM Edition, Security Edition, and Advanced Security Edition.
  • Live N-Day Updates:
    CodeSentry continuously updates the database of known components and vulnerabilities, and updates existing scans with the latest vulnerabilities, remediation, and exploit information

The CodeSentry Difference

Binary SCAs unique capabilities are unavailable in Source-based SCA solutions.

  • No requirement for source code.
    Source code is rarely available for third-party components, and is not always available to security teams, even for in-house applications. Binary SCA can produce an accurate SBOM without access to source code.
  • Views code “as deployed”.
    Source SCA only sees components “as built”. CodeSentry analyzes the binary that executes. This allows it to identify any components or vulnerabilities introduced during compilation and packaging code for release. Source SCA also often lists components that are not in the final build image, generating false positives. CodeSentry can accurately tell whether a component is present in the final product or not.
  • 2nd, 3rd, and 4th party coverage.
    Direct vendors may use their own third parties for software development. CodeSentry solves this problem by analyzing the final binary “as deployed”. It identifies open source no matter where it entered the software supply chain.
  • Shift Left and Shift Right.
    Binary SCA allows organizations to identify vulnerable open source when they evaluate third-party code, well before they incorporate it into their products. The security of delivered software is enhanced by using Binary SCA as a final check to scan binaries before deployment or releasing them to customers.
  • N-day and Zero-day Vulnerability detection and security scoring.
    CodeSentry identifies reused components and continuously tracks any vulnerabilities throughout the software lifecycle, supported by daily updates. Detecting critical, N-day, and Zero-day vulnerabilities as well as misconfiguration of security features in compilers early and precisely is key to reducing the cybersecurity risk and impact.

VulnDB Vulnerability Database

Most approaches to SCA leverage NIST’s National Vulnerability Database (NVD) and augment those vulnerabilities with a small number of publicly disclosed vulnerabilities published by the opensource projects. By some estimates, NVD is missing over 90,000 publicly disclosed vulnerabilities and can delay publishing new vulnerabilities for almost 4 weeks – a time during
which attackers have free rein to exploit them.

CodeSentry leverages VulnDB to provide data on opensource security. VulnDB provides the most comprehensive and timely vulnerability intelligence available and provides actionable information about the latest security vulnerabilities. As of 2023, VulnDB contains over 330,000 vulnerabilities, with over 20,000 new vulnerabilities added this year.Yet only two-thirds of these are published in the NVD. This leaves thousands of organizations relying on NVD unable to defend against the risk posed by these
vulnerabilities. testing and lifecycle traceability provide visibility across artifacts for a complete view, from requirements to release.

Supported Broad File Format Coverage

Across Languages, Operating Systems, and Platforms.

With support for a wide range of endpoint software archive formats, including self-extracting installers and popular package managers, CodeSentry makes it easy to scan the applications your organization uses every day. In addition, various virtual machines, disks, embedded, firmware, and mobile images are supported.

System Specifications

Client: Any modern desktop web browser GraphQL API

Deployment: On-premises, FIPS Compatible SaaS (supports GovCloud)

Software Bill of Materials (SBOM) Output: CycloneDX, SPDX, JSON, CSV, PDF, HTML

Aris, Juniper, Kosmos:  SREC, bFLT, base64, Intel Hex, uBoot, wim

Compiled Languages

C/C++:  Executables, objects, libraries (.exe, .obj, .dll, .o, .so, .a, ) Linux Kernel / Kernel Module Other ELF file types

C#: .exe / .dll

Java: java class files, .jar

Go .exe / .dll / .o / .so /

Interpreted Languages

JavaScript:  Manifest, .npm, .js

Python: Manifest, .python, .py

CPU Architectures

CPU Intel, PowerPC, Sparc, Arm32/64, MIPS, AVR32

Desktop/Server Operations Systems

Windows, Linux, macOS: Libraries, Debian, executables, kernel modules, applications

Linux Package Manager: RPM, Debian


Container/ Files Systems

Docker :tar.gz, overlay2, aufs

File System:  ext2, ext3, ext4, iso, squashfs, cramfs, Android Sparse Disk Image, romfs, JFFS2, ubifs, yaffs2, vmdk

Embedded: VxWorks, QNX, Squashfs, Cramfs

Mobile Platforms

Android: apk, Dex, Odex, Android Sparse (disk image)

iOS: ipa

Archive Formats

Type Files: 7z, chm, lzip, rzip, lzma, tar, cpio, lzop, upx, Ar, gzip, xar, bzip2, zip, lrzip, rar, arj, xz, pkg, dmg, msi, msu, cab, rpm, deb, apk (alpine linux)


Aris, Juniper, Kosmos, Cisco: SREC, bFLT, base64, Intel Hex, uBoot, wim.


Customers about our services


"Ein grosses Lob an den sehr motivierten Trainer. Der Trainingsinhalt wird sehr kurzweilig und auch unterhaltsam vermittelt. Methodisch sehr gut war auch die jeweiligen Trainingstage am Ende nochmals Revue passieren zu lassen. Frank Braun konnte auch jede Frage beantworten und hat auch versucht, sofern der zeitliche Rahmes es erlaubte, auf angesprochenen Themen einzugehen."


Systems Engineer

Bernina Internation AG

„Früher haben wir pro Jahr ein neues Produktmodell lanciert – heute sind es mehrere dank Wiederverwendung von Modulen, welches auch unser Testaufwand markant reduziert hat.“

Giovanni Annunzio

System Architect

Mettler Toledo AG

„Development in the embedded area should be platform independent and the used tools should support this!“

Wolfgang Boos

Head Software Development

Rhapsody Training Feedback

The trainer was very well prepared, has an excellent overview and deep knowledge about the tool and about our surrounding processes (A-Spice) and methods.

Large Automotive Supplier

Systems Engineer

Rhapsody User Group

Good experts present. Always interesting to meet other Rhapsody users.

Stefan Singler

Software Engineer

soplar s.a. – Training

„Starting to use Rational Rhapsody®without coaching or training is not recommended. Understanding the why behind certain processes is essential to working effectively. Training with EVOCEAN was very valuable for me in this regard."

Vitali Mozgovoi

Software Developer

Perforce Helix Core Kunde welcher verkauft wurde an globalen Leader.

"Perforce Helix Core erfüllt unsere Erwartungen vollumfänglich. Wir haben eine Lösung aus einer Hand auf welche wir uns verlassen können."

Leiter Produktentwicklung

Hamilton Medical AG

„Employing our platform strategy and Model Driven Development with IBM Rhapsody® enables us to bring our innovations rapidly to numerous ventilation solutions.“

Gion Durisch

Head of Software Development

Rhapsody Training Feedback

Ich war mit allem zufrieden. Das war das beste Training, das ich je besucht habe.

Grösserer Automobil Zulieferer

Software Engineer

Bernina International AG

„Thanks to the models we can visualise new functions and dependencies. A picture says more than a 1'000 words and the graphically modelled abstraction makes life much easier for us developers. At the same time, the automatic code generation based on the models takes over a substantial part of our work!“

Giovanni Annunzio

System Architect