Software Composition Analysis (SCA)
Software composition analysis is a process that can determine all underlying components of software and identify at least the public known (open-source) components. A well-defined process is consistent, automated, and measurable. This analysis provides visibility into components and libraries being incorporated into the software that development teams create.
Developers often choose open-source or free libraries and components in the course of development. These choices are not always surfaced and can leave software exposed to vulnerabilities. If/when components are chosen for use, not only must they be disclosed in an SBOM, but there are certain standards which dictate the cadence at which they must be kept up-to-date. Without this identification and disclosure, the organization can be left at risk and subject to fines.
NOTE: Many relate SCA only to OSS. In actuality, to be comprehensive, this analysis should encompass all apsects and components that compose a piece of software.
Provided in reports, dashboards, and can be integrated with other tools.
Information includes the name, version and date of publication (in use), current version available and date of publication, and vulnerabilities in either, warnings or caveats related to the language or framework of the software package as a whole.
While somewhat independent in nature, both SCA and ASV are segments of the application security testing (AST) market.