About Software Composition Analysis (SCA)

Software Composition Analysis (SCA) locates and analyzes open source and third-party packages used by your code.

SCA, also referred to as open source testing, aggregates information from a variety of sources, constantly monitoring for new vulnerabilities in an automated process. Software Composition Analysis (SCA) technology is used through the supply chain to identify open-source and third-party components in use in the organization, and their known security vulnerabilities and license limitation. SCA can detect and extract third-party components, provides detailed license information, find known vulnerabilities and offer actionable fixes.

SCA sources include the most popular security vulnerability databases (NVD, Github advisory, Microsoft MSRC), and a wide range of lesser-known security advisories and open source project issue trackers. SCA is updated daily.

SCA requires a specific ASoC Software Composition Analyzer subscription. When you have a valid subscription, open source testing is generated by itself or is automatically included in static analysis scans when static analysis entitlements also exist. SCA does the following:
  • Locates open source packages in your code. To ensure that ASoC collects only data for open source testing, use the appscan prepare_sca (not available from Eclipse).
  • Identifies open source packages known to be vulnerable.
  • Suggests remediation for the vulnerable packages.
Results are included in Static Analysis or Open Source reports and in your ASoC portal.