Back to glossary

Software Composition Analysis (SCA)

The process of identifying and managing the security and license risks associated with third-party open-source libraries and dependencies.

AbbreviationSCA
Categorysecurity

Overview

Modern applications are built using a large number of open-source components. SCA tools scan an application's manifest files (e.g., package.json, pom.xml) to create an inventory of all dependencies and check them against databases of known vulnerabilities (like the NVD).

Key Functions

  • Vulnerability Detection: Identifying components with known CVEs.
  • License Compliance: Ensuring that the open-source licenses are compatible with the organization's policies.
  • Dependency Mapping: Identifying transitive dependencies (libraries used by your libraries).
  • Remediation Guidance: Suggesting updated versions of components that fix identified flaws.

Importance

With the rise of supply chain attacks, SCA is critical for ensuring that the 'building blocks' of your application are secure.

Related Terms

Supply Chain SecuritySoftware Bill of Materials (SBOM)Common Vulnerabilities and Exposures (CVE)National Vulnerability Database (NVD)