About Software Composition Analysis (SCA)
Software Composition Analysis (SCA) identifies and examines open-source packages within your codebase to detect potential security vulnerabilities. SCA can analyze both individual source code files and package manager artifacts, such as configuration files, and lockfiles, to determine the open-source packages your project depends on.
SCA, also referred to as open source testing, aggregates information from a variety of sources, constantly monitoring for new vulnerabilities in an automated process. Software Composition Analysis (SCA) technology is used through the supply chain to identify open-source and third-party components in use in the organization, and their known security vulnerabilities and license limitations. SCA can detect and extract third-party components, provides detailed license information, find known vulnerabilities, and offer actionable fixes.
SCA sources include the most popular security vulnerability databases (NVD, Github advisory, Microsoft MSRC), and a wide range of lesser-known security advisories and open source project issue trackers. SCA is updated daily.
- Locates open source packages in your code. To ensure that ASoC collects only data for open source testing, use
the
appscan prepare_sca
(not available from Eclipse). - Identifies open source packages known to be vulnerable.
- Suggests remediation for the vulnerable packages.