Software Composition Analysis is a process of analyzing an application, to detect third-party libraries statically linked with the application. It can be mostly used to detect and fix security flaws in these embedded code bases/libraries, but can also be used to detect illegal and outdated code. Continuous SCA testing helps developers and security teams to drive productivity without compromising the security of the application.
SCA is mostly automated by the use of tools. It works by looking at various sources of information which includes source code, manifest files, package manager metadata, container images and sometimes binary files also. Once a list of libraries/third-party code is obtained, it is used to generate a Software Bill of Materials (SBOM). This is then compared with openly available security databases like NVD to generate security alerts for the scanned application in question
SCA tools can also generate license information which can be a part of SBOM.
SCA processes are often used by customers/consumers because they are not sure what open source code is contained in the products they buy from application developers. However, using SCA in the software development process can add a lot of value to the process. Consider for example a team of developers working on a project. Due to the open source nature of work, it is often the case, that developers will take code or even complete codebases from other open source projects (in compliance with their licenses of course). This is how open source software is developed! This sometimes can cause security risks for customers when a serious security flaw is found in the same codebase and no one knows if your application uses it in a vulnerable way. This is where SCA can help and add value to your final product.
A “software bill of materials” (SBOM) has emerged as a key building block in software security and software supply chain risk management. An SBOM is a nested inventory, a list of ingredients that make up software components. As mentioned above it may contain a list of components, their licenses, and version information.
This term comes from the manufacturing industry, where a Bill of Materials is an inventory detailing all the items included in a product. For each product, the manufacturer knows, what the product is made up of, where each part was sourced from and other details of the part. So when a fault is found in one of the parts, the manufacturer knows exactly what all products are affected and need to be replaced.
There are several formats which are currently being used and include, SPDX, SWID and CycloneDX.
SCA is an important tool, most suited to complex projects or offerings made up of many third-party components. It can used to keep track of security flaws in your software dependencies when used correctly.