About Software Composition Analysis (SCA)

Software Composition Analysis (SCA) identifies and examines open-source packages within your codebase to detect potential security vulnerabilities. SCA can analyze both individual source code files and package manager artifacts, such as configuration files, and lockfiles, to determine the open-source packages your project depends on.

SCA, also referred to as open source testing, aggregates information from a variety of sources, constantly monitoring for new vulnerabilities in an automated process. Software Composition Analysis (SCA) technology is used through the supply chain to identify open-source and third-party components in use in the organization, and their known security vulnerabilities and license limitations. SCA can detect and extract third-party components, provides detailed license information, find known vulnerabilities, and offer actionable fixes.

SCA sources include the most popular security vulnerability databases (NVD, Github advisory, Microsoft MSRC), and a wide range of lesser-known security advisories and open source project issue trackers. SCA is updated daily.

SCA requires a specific ASoC Software Composition Analyzer subscription. When you have a valid subscription, open source testing is generated by itself or is automatically included in static analysis scans when static analysis entitlements also exist. SCA does the following:
  • Locates open source packages in your code. To ensure that ASoC collects only data for open source testing, use the appscan prepare_sca (not available from Eclipse).
  • Identifies open source packages known to be vulnerable.
  • Suggests remediation for the vulnerable packages.
Results are included in Static Analysis or Open Source reports and in your ASoC portal.