About Software Composition Analysis (SCA)
Software Composition Analysis (SCA) locates and analyzes open source and third-party packages used by your code.
SCA, also referred to as open source testing, aggregates information from a variety of sources, constantly monitoring for new vulnerabilities in an automated process. Software Composition Analysis (SCA) technology is used through the supply chain to identify open-source and third-party components in use in the organization, and their known security vulnerabilities and license limitations, including open source libraries supsected as malware. SCA can detect and extract third-party components, provides detailed license information, find known vulnerabilities, and offer actionable fixes.
SCA sources include the most popular security vulnerability databases (NVD, Github advisory, Microsoft MSRC), and a wide range of lesser-known security advisories and open source project issue trackers. SCA is updated daily.
- Locates open source packages in your code. To ensure that ASoC collects only data for open source testing, use
the
appscan prepare_sca
(not available from Eclipse). - Identifies open source packages known to be vulnerable.
- Suggests remediation for the vulnerable packages.