A Software Composition Analysis (SCA) tool is an application that inspects and analyzes open source packages used in software development projects.  Open source code packages and libraries can contain vulnerabilities that may allow attackers to gain unauthorized access to your application, or even your network.  When flaws in open source code are identified they are reported to repositories like the National Vulnerabilities Database (NVD) and GitHub Advisory Database. SCA tools scan your packages and libraries and compare them to NVD and GitHub issues.  The tool will then provide a report of any vulnerabilities found within your projects.

Not knowing about the content of your projects' open source code can hurt you and your users...and you can't fix vulnerabilities that you don't know about.  SCA tools are crucial for all developers to be able to find and remediate existing vulnerabilities before they are deployed so they can never be exploited.

The SOOS SCA tool provides a single dashboard to manage your open source packages and libraries, including a deep dependency tree vulnerability scan of your open source packages to mitigate security risks. SOOS SCA management also includes an analysis of the open source licenses for every package in your project/manifest.

Interested in adding DAST scanning to your security program? Check out SOOS DAST.