Software Composition Analysis (SCA)
Definition
A category of security tooling that scans source code, build manifests, and container images to identify open-source and third-party components, match them against vulnerability databases (CVE, OSV, GHSA), and flag licence compliance issues. SCA is the primary automated control for supply-chain dependency risk.
Related terms
- Dependency confusion
- An attack technique in which an attacker publishes a public package with the same name as an organisation's internal private package at...
- NIST SP 800-161r1
- The US National Institute of Standards and Technology publication 'Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations' (Revision 1, 2022)....
- Software Bill of Materials (SBOM)
- A structured, machine-readable inventory of the software components in a product or system. Captures component names, versions, licences, and dependency relationships. Standard...
- Transitive dependency
- A software library that an application does not import directly but is pulled in automatically because a direct dependency requires it. Transitive...
- Vendor due diligence
- The pre-procurement and ongoing process of assessing a supplier's security practices before and during a commercial relationship. In supply-chain risk management, due...
Explained in
- Supply-Chain Risk and Software DependenciesA category of security tooling that scans source code, build manifests, and container images to identify open-source and third-party components, match them aga...