SCA — Software Composition Analysis

What is SCA?

Software composition analysis (SCA) is an automated process that identifies open-source software in a codebase. This analysis is performed to evaluate security, license compliance, and code quality.

How do SCA works?

SCA tools inspect package managers, manifest files, source code, binary files, container images, and more. The identified open-source dependencies are compiled into a Bill of Materials (BOM). This BOM is then compared against a variety of databases (NVD, CWE, etc.) to discover licenses associated with the code and analyze overall code quality (version control, history of contributions, and so on). By comparing the BOM against a database, security teams can identify critical security and legal vulnerabilities and act quickly to fix them.

Why is Software Composition Analysis critical?

SCA’s value is the security, speed, and reliability it offers. Due to rapid development, manual tracking of open source code is no longer sufficient; it simply can’t keep up with the sheer amount of open source. And the increasing prevalence of cloud-native applications and more complex applications make robust and dependable SCA tools necessary.

Why SCA Should Be Part of Your Application Security Portfolio

Open source components have become the primary building block in software applications across all verticals. Yet, despite the heavy reliance on open source, too many organizations are lax about ensuring that their open source components meet basic security standards and are compliant with licensing requirements.

How to execute SCA on your project?

There are many ways and tools available in the market to execute SCA on the project repositories. Many SCM tools also incorporated SCA as a feature in their product itself. GitLab as SCA execution feature added in Auto DevOps with limited features set.

Dependency-Check Maven plugin (Maven 3.1 or newer required)

  1. dependency-check-maven is a Maven Plugin that uses dependency-check-core to detect publicly disclosed vulnerabilities associated with the project’s dependencies. The plugin will generate a report listing the dependency, any identified Common Platform Enumeration (CPE) identifiers, and the associated Common Vulnerability and Exposure (CVE) entries.
  2. Open pom.xml in your project and add the below snippet to enable dependency-check for your maven project.
  1. It will take around 5 to 1o mins or more as it downloads and processes the National Vulnerability Database (NVD) data hosted by NIST:
  2. It will generate a dependency-check-report.html inside the target folder.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Anand Varne

DevOps enthusiastic | DevOps Lead | GitOps | CI / CD | Process Automation | Developer | Git | Jenkins | Docker | Ubuntu | Shell / Bash