Software Composition Analysis
SCA products typically work as follows:
- An engine scans the software source code, and the associated artifacts used to compile a software application.
- The engine identifies the OSS components and their versions and usually store this information in a database creating a catalog of OSS in use in the scanned application.
- This catalog is then compared to databases referencing known security vulnerabilities for each component, the licensing requirements for using the component, and the historical versions of the component. For security vulnerability detection, this comparison is typically made against known security vulnerabilities (CVEs) that are tracked in the National Vulnerability Database (NVD). Some products use an additional proprietary database of vulnerabilities. For IP / Legal Compliance, SCA products will extract and evaluate the type of licensing used for the OSS component. Versions of components are extracted from popular open source repositories such as GitHub, Maven, PyPi, NuGet, and many others.
- The results are then made available to end users using different digital formats. The content and format depend on the SCA product and may include guidance to evaluate and interpret the risk, and recommendations especially when it concerns the legal requirements of open source components such as strong or weak copyleft licensing. The output may also contain a Software Bill of Materials (SBOM) detailing all the open source components and associated attributes used in a software application
SCA Strenghts and weakness
📖 Wikipedia - SCA strenghts, SCA weakness
- ✅ Automatic Scanning
- ✅ Little work required from developers
- ❌ Complex and Labor Intensive deployment, work required from devops team
- ❌ Each products use his propietary database of OSS components that can vary in size and coverage
- ❌ Legal requirements of OSS license analysis isn’t easy to automate, probably it’s better to ask to the legal team or assuming a legal consulent
- ❌ Lack of automated guidance on actions to take based on SCA reports and data