SCA — Software Composition Analysis

What is SCA?

Software composition analysis (SCA) is an automated process that identifies open-source software in a codebase. This analysis is performed to evaluate security, license compliance, and code quality.

In a modern DevOps or DevSecOps environment, SCA has galvanized the “shift left” paradigm. Earlier and continuous SCA testing has enabled developers and security teams to drive productivity without compromising security and quality.

How do SCA works?

SCA tools inspect package managers, manifest files, source code, binary files, container images, and more. The identified open-source dependencies are compiled into a Bill of Materials (BOM). This BOM is then compared against a variety of databases (NVD, CWE, etc.) to discover licenses associated with the code and analyze overall code quality (version control, history of contributions, and so on). By comparing the BOM against a database, security teams can identify critical security and legal vulnerabilities and act quickly to fix them.

Why is Software Composition Analysis critical?

SCA’s value is the security, speed, and reliability it offers. Due to rapid development, manual tracking of open source code is no longer sufficient; it simply can’t keep up with the sheer amount of open source. And the increasing prevalence of cloud-native applications and more complex applications make robust and dependable SCA tools necessary.

As development speeds skyrocket due to the adoption of Agile and DevOps methodologies, organizations need security solutions that can maintain development velocity. Automated SCA tools do just that.

Why SCA Should Be Part of Your Application Security Portfolio

Open source components have become the primary building block in software applications across all verticals. Yet, despite the heavy reliance on open source, too many organizations are lax about ensuring that their open source components meet basic security standards and are compliant with licensing requirements.

How to execute SCA on your project?

There are many ways and tools available in the market to execute SCA on the project repositories. Many SCM tools also incorporated SCA as a feature in their product itself. GitLab as SCA execution feature added in Auto DevOps with limited features set.

As far as I know, there are minimal open-source tools available in the market providing SCA for project repositories. OWASP Foundation provides Dependency-Check plugins for various tools like SonarQube, Maven, Gradle, etc.

Dependency-Check Maven plugin (Maven 3.1 or newer required)

1. dependency-check-maven is a Maven Plugin that uses dependency-check-core to detect publicly disclosed vulnerabilities associated with the project’s dependencies. The plugin will generate a report listing the dependency, any identified Common Platform Enumeration (CPE) identifiers, and the associated Common Vulnerability and Exposure (CVE) entries.
2. Open pom.xml in your project and add the below snippet to enable dependency-check for your maven project.

<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>6.1.6</version>
<executions>
<execution>
<goals>
<goal>check</goal>
</goals>
</execution>
</executions>
</plugin>

For more examples, you can refer Dependency-Check Maven Plugin GitHub page.

1. Once you added the above snippet, execute a command as mvn dependency-check:aggregate
2. It will take around 5 to 1o mins or more as it downloads and processes the National Vulnerability Database (NVD) data hosted by NIST: https://nvd.nist.gov.
3. It will generate a dependency-check-report.html inside the target folder.

In the same way, you can also check different modules of this dependency-check plugin here.

For more information, you can visit the Dependency-Check page.

Thanks, Deepak Naik for your guidance and review.