Profiscope: CodeScoring

CodeScoring automates the validation of open source components and provides developers with analysis results.

CodeScoring is a Russian OSA/SCA solution that secures the use of Open Source components and protects the supply chain at all stages of the software lifecycle. The solution allows you to collect and manage information about the open source components used and monitor security risks, as well as license and operational risks, according to configured policies.

2025

Add security to the software supply chain without binding to artifact repositories

OSA Proxy is presented on the CodeScoring platform - protection supply chains ON without binding to artifact repositories. The company Profiscope (Profiscope) announced this on December 16, 2025.

This service allows you to control the security of components before they enter the corporate infrastructure. The CodeScoring.OSA module introduced the OSA Proxy service for automatically scanning third-party open source components and blocking unsafe packets when loading from external batch indexes.

OSA Proxy moves compositional analysis to the earliest stage of development - the moment of package installation. This is especially important in the face of growing supply chain attacks. The sooner a hazardous component is identified and blocked, the less risk and cost to the development team and the entire organization.

OSA Proxy intercepts batch manager requests to external indexes (Maven Central, NPM, PyPI, NuGet), checks components for compliance with security policies and can block vulnerable versions even before they enter the corporate infrastructure. This is especially valuable for companies where independence from Western solutions is critical and where the release of secure software is a priority.

The key quality of the solution is work without reference to artifact repositories: the service is effective regardless of specific solutions and can work in various scenarios. OSA Proxy supports both common and non-standard and specific storage of artifacts, and can work completely without storage.

Unlike local solutions with plugins, the service provides a centralized approach to managing package security at the level of the entire infrastructure.

{{quote 'by Alexey Smirnov, founder of the CodeScoring secure development platform: "OSA Proxy solves a critical task for Russian organizations. This is especially important now that companies are looking for flexible solutions to control the security of open source components without changing their own processes or infrastructure. OSA Proxy works with or without any storage, which expands implementation capabilities for organizations of various levels, }}

Technical details:

• Support for major batch indexes: Maven Central (Java), NPM (JavaScript), PyPI (Python), NuGet (.NET), Go Modules (Go), Debian Packages (Debian) , as well as alternative repositories compatible with official specifications.
• OSA Proxy works directly with ecosystem indexes, making it easier to implement and less time to configure the infrastructure.
• Scan both dependency manifests and individual packages
• Flexible modes of operation: from monitoring (observer mode) to active blocking of unsafe components. This allows you to adapt the level of control to the requirements of a particular team, ensuring a balance between security and development continuity.
• Automatic filtering of insecure versions. The service modifies responses from third-party repositories: deletes prohibited versions, redirects links and recalculates checksums, while maintaining the correct formats.

The service is based on an asynchronous processing model and an automatic repetition mechanism for temporary errors, which ensures stable operation even under high loads or short-term failures. OSA Proxy is available to all CodeScoring.OSA module users ​

Vulnerability Reachability Analysis

The CodeScoring platform has an analysis of the reachability of vulnerabilities, taking into account transitive dependencies. Profiscope (Profiscope) announced this on December 4, 2025. This function shows the real exploitability of the discovered vulnerability, i.e. helps determine whether vulnerabilities found in the code can actually be used through existing calls. Libraries used in the development of Open source can bring tens and hundreds of known vulnerabilities that can be exploited by attackers. Analyzing all vulnerabilities in a row is labor intensive, so it is important to rank the detected problems by risk, including through reachability analysis. This approach helps to focus primarily on real threats, prioritize fixes and reduce the potential costs of analyzing finds by an order of magnitude.

Compositional analysis with reachability can already be carried out in projects in Java, Go and Python, work is underway to add project analysis in other programming languages ​ ​ to the CodeScoring.SCA module: JavaScript, C#, PHP and Kotlin.

The CodeScoring team, in collaboration with specialists from the Phobos-NT Scientific and Technical Center and the Information Protection IU10 Department of Moscow State Technical University N.E. Bauman, studied open repositories with the source code of projects in Java, Python, JavaScript, Go, Kotlin, C#, PHP, identified the calls characteristic of each vulnerability and collected its own knowledge base, which is regularly replenished. This marking of vulnerable methods allows you to achieve high accuracy of reachability analysis and reduce the number of false positive positives. As of December 2025, more than 10,000 known vulnerabilities have been identified in the database.

The technological basis of the project is the construction of a call graph using analysis technologies of the V.P. Ivannikov Institute of System Programming of the Russian Academy of Sciences (ISP RAS).

The program call graph identifies the connections of its methods to each other. The exact construction of such a graph is a non-trivial problem that requires deep code analysis based on fundamental scientific technologies. These include analyses of pointers and virtual methods widely used in modern programming languages. And compiled languages ​ ​ require assembly interception technology. We are developing all these analysis methods within the framework of the Svace static analyzer, so our specialists were able to finalize them in a short time and highlight them as a separate component for use in CodeScoring.SCA. We are glad that with the release of this joint technology, our collaboration with longtime friends from CodeScoring has reached a new level, said Harutyun Avetisyan, Academician of the Russian Academy of Sciences, Director of the ISP RAS.

Шаблон:Quote 'author=noted Dmitry Ponomarev, Deputy General Director, Director of the Department of RBPO NTC "Phobos-NT."

The algorithm works as follows: first, based on the source code of the project, a graph of calls to project functions is built, then a reconciliation with the knowledge base takes place. For each known vulnerability, the system knows the characteristic patterns of exploitation - how it can be used in real attacks. According to the results of the analysis, the user receives information on the found achievable vulnerabilities with call chains for each.

{{quote 'author=noted Maxim Shchedrin, head of the security testing department of T1 Innotech.|During pilot tests of this function, the analysis of the achievability of vulnerabilities by employees of T1 Innotech was carried out to assess its effectiveness. The key factor in this case is the accuracy of the results. To confirm accuracy, a manual check was carried out, during which it was possible to establish that the declared function correctly identifies both achievable and unattainable vulnerabilities, ensuring high reliability of the results.

It is safe to say that automated analysis reflects the real state of affairs and can serve as the basis for decision-making to eliminate vulnerabilities. The vulnerability reachability check function allows not only to automate the prioritization of vulnerabilities taking into account the actual reachability, but also to significantly reduce the amount of manual analysis, which is relevant in conditions of lack of resources. This makes it a valuable tool for improving the efficiency and accuracy of software security,}}

Reachability analysis is available in the CodeScoring.SCA module from version 2025.37.0. The analysis results are displayed in the platform interface and reports that are easy to upload. This feature is designed to improve the efficiency of DevSecOps commands and reduce the burden on security commands.

Some vulnerabilities can be relevant without achievable calls, so all identified threats should be verified and eliminated in accordance with their degree of criticality.

Knowing all third-party components and their risks in your product is not enough. It is important to effectively manage this knowledge to build a quality, secure development process. The identified reachability of a known vulnerability is an increased risk to the product, since information about operating methods is most likely already in the public domain and can be used by everyone. The implementation of this type of analysis is a science-intensive and painstaking task, the solution of which was made possible thanks to our technological partners, noted Alexey Smirnov, founder of the CodeScoring secure development platform.

2024: Integration with GitFlic

ReSolut (part of the Astra Group) on August 28, 2024 announced successful testing for GitFlic compatibility with the CodeScoring code security scanning solution, which will significantly improve the process of ensuring secure software development (RBPO). Read more here.

2023: Integration with Kaspersky Open Source Software Threats Data Feed

Kaspersky Lab"" and the company Profiscope said about: integration the service about data vulnerabilities Kaspersky Open Source Software Threats Data Feed is now available to CodeScoring users. This was Web Control (WEB Control DC) announced on October 18, 2023. More. here