Sold by: abyo software
Deployed on AWS
Rust-native SBOM / SCA and vulnerability management server. Ingests CycloneDX and SPDX SBOMs, scores findings with CVSS and EPSS, and serves results over a REST API. Sub-second boot. Hardened AMI.
Overview
FerroSCA is a Rust-native SBOM (Software Bill of Materials) / SCA (Software Composition Analysis) and vulnerability-management server packaged as a hardened Amazon Linux 2023 AMI on AWS Graviton (arm64). It ingests CycloneDX 1.4 / 1.5 / 1.6 (JSON and XML) and SPDX 2.2 / 2.3 SBOMs, correlates the components against public vulnerability data (NVD JSON 2.0, OSV, public advisory feeds, and the CISA KEV catalogue), scores findings with CVSS v2 / v3 / v4 and EPSS, evaluates policy, and exposes the results over a REST API. The server runs as a single Rust process: there is no JVM, no separate front-end tier, no separate worker tier. It starts in under a second, idles under about 256 MB of RAM, and embeds its dashboard in the same binary. What FerroSCA does today (v1.0 line): SBOM ingest of CycloneDX 1.4 / 1.5 / 1.6 (JSON + XML) and SPDX 2.2 / 2.3, with streaming upload, a memory ceiling, and token-based async processing; SBOM export to CycloneDX, SPDX, VDR, and VEX; vulnerability intelligence from NVD JSON 2.0, OSV, public advisory feeds, and the CISA Known Exploited Vulnerabilities catalogue, with EPSS enrichment and CSAF 2.0 / VEX 1.4 consumption plus air-gapped mirror import; Package URL 0.6 and CPE 2.3 identifiers, CVSS v2 / v3 / v4 and EPSS scoring, and distro-aware matching for Alpine, Debian, and Ubuntu base images; a policy engine with 30+ conditions plus SPDX license detection and reporting; notifications over Email and Webhook (with adapter slots for chat-platform webhooks and issue-tracker webhooks); local-user authentication with SHA3-256 API keys, OIDC, LDAP (gated), TLS via rustls, and project-level ACL on mutations. Engineering posture (verifiable from the shipped artefacts): #![forbid(unsafe_code)] in every crate, clippy clean at -D warnings CI-enforced workspace-wide, a no-unwrap()/expect()-in-production-code convention, a full workspace test suite (over 13,000 tests at the v1.0 release tag), a cargo-deny supply-chain gate, a CycloneDX SBOM and self-VDR produced during the AMI bake, fuzz-targeted SBOM and PURL parsers, and a published KNOWN_LIMITATIONS document. The AMI is hardened (SELinux enforcing, fail2ban enabled, automatic security updates via dnf-automatic, systemd ProtectSystem=strict / NoNewPrivileges / capability bounding set emptied), and ships unique per-instance secrets (admin password, session secret, API key pepper) generated from /dev/urandom on first boot, with the admin account flagged forcedPasswordChange so the buyer must change the password on first login. Honest scope (please read before purchasing): PostgreSQL, SQLite, and the embedded sled storage backend are supported; MySQL is excluded from the build. FIPS-validated crypto, SPDX 3.0 ingest, and a third-party security audit are roadmap. The supported Marketplace topology is single-node behind an Application Load Balancer. Refer to the KNOWN_LIMITATIONS document shipped with the AMI for the full list. Entitlement and billing run entirely through AWS Marketplace: this is a standard hourly-plus-annual per-instance-type AMI product, metered automatically by AWS per running EC2 instance-hour. There is no separate license server, no out-of-band activation key, and no external transaction of any kind required to use the product.
Highlights
- Single Rust process: embedded dashboard, no separate front-end tier. Boots in under a second and idles under about 256 MB of RAM, on PostgreSQL, SQLite, or the embedded sled storage backend.
- Ingests CycloneDX 1.4 / 1.5 / 1.6 and SPDX 2.2 / 2.3 SBOMs; correlates against public vulnerability data and the CISA KEV catalogue with CVSS v2 / v3 / v4 and EPSS scoring; 30+ policy conditions; distro-aware matching for Alpine, Debian, and Ubuntu base images.
- Hardened, scanned AMI on Amazon Linux 2023 / Graviton (arm64): SELinux enforcing, automatic security updates, systemd hardening, unique per-instance admin password and secrets, forced password change on first login. #![forbid(unsafe_code)] workspace-wide. Apache-2.0 source.
Details
Sold by
Categories
Delivery method
Delivery option
64-bit (Arm) Amazon Machine Image (AMI)
Latest version
Operating system
AmazonLinux 2023
Deployed on AWS
New
Introducing multi-product solutions
You can now purchase comprehensive solutions tailored to use cases and industries.
Features and programs
Financing for AWS Marketplace purchases
AWS Marketplace now accepts line of credit payments through the PNC Vendor Finance program. This program is available to select AWS customers in the US, excluding NV, NC, ND, TN, & VT.
Pricing
Pricing is based on actual usage, with charges varying according to how much you consume. Subscriptions have no end date and may be canceled any time. Alternatively, you can pay upfront for a contract, which typically covers your anticipated usage for the contract duration. Any usage beyond contract will incur additional usage-based costs.
Additional AWS infrastructure costs may apply. Use the AWS Pricing Calculator to estimate your infrastructure costs.
Dimension | Cost/hour |
|---|---|
c7g.large Recommended | $0.06 |
c7g.2xlarge | $0.24 |
t4g.medium | $0.05 |
c7g.xlarge | $0.12 |
c7g.medium | $0.03 |
m7g.xlarge | $0.12 |
t4g.large | $0.06 |
m7g.large | $0.06 |
r7g.large | $0.06 |
t4g.small | $0.04 |
Vendor refund policy
Contact aws-support@abyo.net within 30 days of a charge to request a refund for a billing error or a documented defect in the supported distribution. Refunds are processed in accordance with the AWS Marketplace Standard Contract.
Legal
Vendor terms and conditions
Upon subscribing to this product, you must acknowledge and agree to the terms and conditions outlined in the vendor's End User License Agreement (EULA) .
Content disclaimer
Vendors are responsible for their product descriptions and other product content. AWS does not warrant that vendors' product descriptions or other product content are accurate, complete, reliable, current, or error-free.
Delivery details
64-bit (Arm) Amazon Machine Image (AMI)
Amazon Machine Image (AMI)
An AMI is a virtual image that provides the information required to launch an instance. Amazon EC2 (Elastic Compute Cloud) instances are virtual servers on which you can run your applications and workloads, offering varying combinations of CPU, memory, storage, and networking resources. You can launch as many instances from as many different AMIs as you need.
Version release notes
FerroSCA v1.0 line. Rust-native SBOM (Software Bill of Materials) / SCA (Software Composition Analysis) and vulnerability-management server. A single Rust process - no JVM, no separate front-end - boots in under a second and idles under about 256 MB of RAM. Ingests CycloneDX 1.4 / 1.5 / 1.6 and SPDX 2.2 / 2.3; correlates against public vulnerability data (NVD JSON 2.0, OSV, public advisory feeds, CISA KEV) with CVSS v2 / v3 / v4 and EPSS scoring; 30+ policy conditions; distro-aware matching for Alpine, Debian, and Ubuntu base images. PostgreSQL, SQLite, and the embedded sled storage backend are supported; MySQL is excluded from the build. The supported Marketplace topology is single-node. Hardened, scanned AMI on Amazon Linux 2023 / Graviton (arm64) with SELinux enforcing, automatic security updates, systemd hardening, unique per-instance admin password and secrets generated on first boot, and forced password change on first login. Engineering: #![forbid(unsafe_code)] workspace-wide, clippy clean at -D warnings, no unwrap() in production code, cargo-deny supply-chain gate, CycloneDX SBOM + self-VDR produced during the AMI bake, fuzz-tested parsers. All entitlement runs through AWS Marketplace - metered automatically per EC2 instance-hour, with no external license server, no activation key, and no out-of-band transaction required.
Additional details
Usage instructions
Launch the self-contained FerroSCA AMI on EC2 (Graviton / arm64) with the provided CloudFormation template (marketplace/cloudformation/quickstart.yaml) behind an Application Load Balancer; terminate TLS at the ALB and do not expose the service port directly to the internet. The instance boots one Rust process (single-node mode) with embedded dashboard and local storage. On first boot the AMI generates a unique per-instance admin password from /dev/urandom and writes it to /var/lib/ferrosca/initial-credentials.txt (mode 0600, owner ferrosca); SSH in as ec2-user, sudo to root, read the file, change the admin password on first login (the server forces this), and delete the file. Browse to the dashboard on port 8080, then upload CycloneDX or SPDX SBOMs over the REST API and review the findings, which are correlated against public vulnerability data and the CISA KEV catalogue with CVSS and EPSS scoring. All entitlement is via AWS Marketplace; there are no external accounts, license keys, or out-of-band activation steps. The supported topology is single-node; multi-node HA fails closed by default. See docs/KNOWN_LIMITATIONS.md shipped with the AMI.
Support
Vendor support
Marketplace subscribers receive support by email at aws-support@abyo.net under the published service level agreement. Include your AWS account id and the EC2 instance id when you open a ticket. A limitations document, a STRIDE threat model, and a due-diligence pack ship with the product. All entitlement is via AWS Marketplace - there are no external accounts, license keys, or out-of-band activation steps.
AWS infrastructure support
AWS Support is a one-on-one, fast-response support channel that is staffed 24x7x365 with experienced and technical support engineers. The service helps customers of all sizes and technical abilities to successfully utilize the products and features provided by Amazon Web Services.
Customer reviews
No customer reviews yet
Be the first to review this product . We've partnered with PeerSpot to gather customer feedback. You can share your experience by writing or recording a review, or scheduling a call with a PeerSpot analyst.