Software Composition Analysis
Software Composition Analysis (SCA) is a process or set of tools used to inspect software components and their dependencies to identify security and compliance concerns.
Identifying licenses
The licenses of third party dependencies are identified. This supports organizations enforcing compliance around license exposure on third party dependencies.
Understand dependencies
Dependencies often form complex graphs and the SCA process/tools build a complete picture of this graph. The dependency graph ensures that a complete picture around license and vulnerability exposure is understood.
Identify and mitigate vulnerabilities
Vulnerabilities for the software components and their dependencies are identified. The dependency graph and Common Vulnerabilities and Exposure (CVE) databases are used by the SCA process/tools to identify risks and provide mitigation options.
Software Bill of Materials
A Software Bill of Materials (SBOM) can be produced from the dependency graph to provide a detailed list of the dependencies and where they're used. The SBOM may be utilized to assess security vulnerability exposure on an ongoing basis.
Examples
Analysis must include factors such as vulnerability type, budget, and update frequency.
GitHub: About the dependency graph can be used to create a dependency graph for code stored within GitHub. For each of the dependencies, license and vulnerability information is made available.
The "Improve release artifact and workload integrity in Kubernetes via a secure software supply chain" solution includes an implementation that demonstrates how to create an SBOM when building a software release. The SBOM is used in conjunction with a policy gate to ensure workloads deployed to an AKS cluster meet security and compliance requirements.