Software composition analysis

It is a common software engineering practice to develop software by using different components. Using software components segments the complexity of larger elements into smaller pieces of code and increases flexibility by enabling easier reuse of components to address new requirements. The practice has widely expanded since the late 1990s with the popularization of open-source software (OSS) to help speed up the software development process and reduce time to market.

However, using open-source software introduces many risks for the software applications being developed. These risks can be organized into 5 categories:

• OSS Version Control: risks of changes introduced by new versions
• Security: risks of vulnerabilities in components - Common Vulnerabilities & Exposures (or CVEs)
• License: risks of Intellectual property (IP) legal requirements
• Development: risks of compatibility between existing codebase and open-source software
• Support: risk of poor documentation and Obsolete software components

Shortly after the foundation of the Open Source Initiative in February 1998, the risks associated with OSS were raised and organizations tried to manage this using spreadsheets and documents to track all the open source components used by their developers.

For organizations using open-source components extensively, there was a need to help automate the analysis and management of open source risk. This resulted in a new category of software products called Software Composition Analysis (SCA) which helps organizations manage open source risk. SCA strives to detect all the 3rd party components in use within a software application to help reduce risks associated with security vulnerabilities, IP licensing requirements, and obsolescence of components being used.