A security team runs a Software Composition Analysis (SCA) tool on a new application. The scan shows no high-risk findings. However, a subsequent penetration test reveals a critical vulnerability in an open-source component. Analysis confirms the vulnerability only manifests when a specific, non-default function within the library is called by the application. What is the MOST likely reason the SCA tool failed to report the vulnerability?
The CI/CD pipeline built the application with a different, vulnerable version of the library than the version scanned in the source code repository.
The SCA tool only checked for vulnerable library versions and did not perform reachability analysis to determine if the vulnerable function was actively used.
The penetration test discovered a zero-day vulnerability that was not yet present in the SCA tool's vulnerability database.
The SCA tool's vulnerability database was out of date and did not contain the signature for that specific vulnerability.
The correct answer is that the SCA tool likely only checked for vulnerable library versions and did not perform reachability analysis. Many SCA tools can identify dependencies and their versions but may not analyze the application's code to see if a vulnerable function within that dependency is actually reachable or called. If the vulnerable part of the library is never invoked, the risk is low, but if it is invoked, as in this scenario, a tool without reachability analysis can miss the active risk. The other options are less likely. A DAST discovering a zero-day is possible but less likely than an SCA tool missing context. If the tool's database were out of date, it would likely miss other vulnerabilities too, not just this specific one. A CI/CD build mismatch is a plausible issue but is a pipeline problem, not a limitation of the SCA tool's analysis method itself.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Software Composition Analysis (SCA)?
Open an interactive chat with Bash
Why are version numbers important in detecting vulnerabilities?
Open an interactive chat with Bash
How do SCA tools analyze function calls to detect vulnerabilities?