Software Composition Analysis

Software Composition Analysis (SCA) is a process or set of tools used to inspect software components and their dependencies to identify security and compliance concerns.

Identifying licenses

The licenses of third party dependencies are identified. This supports organizations enforcing compliance around license exposure on third party dependencies.

Understand dependencies

Dependencies often form complex graphs and the SCA process/tools build a complete picture of this graph. The dependency graph ensures that a complete picture around license and vulnerability exposure is understood.

Identify and mitigate vulnerabilities

Vulnerabilities for the software components and their dependencies are identified. The dependency graph and Common Vulnerabilities and Exposure (CVE) databases are used by the SCA process/tools to identify risks and provide mitigation options.

Software Bill of Materials

A Software Bill of Materials (SBOM) can be produced from the dependency graph to provide a detailed list of the dependencies and where they're used. The SBOM may be utilized to assess security vulnerability exposure on an ongoing basis.

Examples

Analysis must include factors such as vulnerability type, budget, and update frequency.

For more information