Software Composition Analysis (SCA)

Software Composition Analysis (SCA) is a category of application security tooling and process discipline focused on identifying, inventorying, and assessing the risk of open-source and third-party components embedded in a software project. As open-source libraries now constitute the majority of code in production applications, SCA has become a foundational control within regulated software supply chains and a prerequisite for compliance under frameworks including NIST, PCI DSS, and executive-level federal mandates. This page covers the definition and scope of SCA, its operational mechanics, the scenarios in which it is applied, and the decision criteria that distinguish it from adjacent security disciplines.

Definition and scope

SCA operates on the premise that modern applications are composite artifacts — typically 70–90% open-source code by volume, according to the Synopsys Open Source Security and Risk Analysis (OSSRA) Report, a figure consistent with CISA's framing of open-source dependency risk in its Securing the Open Source Software Ecosystem guidance. SCA tools parse dependency manifests, build artifacts, and source trees to produce a catalog of all direct and transitive dependencies, then cross-reference that catalog against known vulnerability databases — primarily the National Vulnerability Database (NVD) maintained by NIST, as well as the GitHub Advisory Database and OSV (Open Source Vulnerabilities) format feeds.

The scope of SCA spans several risk dimensions:

1. Known vulnerability identification — mapping component versions to CVE or GHSA records and associated CVSS severity scores.
2. License compliance — classifying component licenses (MIT, Apache 2.0, GPL, LGPL, AGPL) to flag obligations or prohibitions relevant to the consuming organization's distribution model.
3. Dependency health — evaluating component maintenance status, including abandoned repositories or end-of-life packages.
4. Reachability analysis — determining whether vulnerable code paths are actually invoked in the application's runtime execution graph (a capability present in advanced SCA tooling, distinct from basic version-matching).

SCA is formally referenced in the NIST Secure Software Development Framework (SSDF), SP 800-218 under the "Protect the Software" practice group, and is a central mechanism for generating a Software Bill of Materials (SBOM) — a structured inventory required under the May 2021 Executive Order on Improving the Nation's Cybersecurity (EO 14028).

How it works

SCA analysis proceeds through a defined sequence of phases, regardless of the specific tooling used:

1. Dependency discovery — The tool ingests package manager manifests (package.json, pom.xml, requirements.txt, go.mod, Gemfile.lock, etc.), binary artifacts, or container image layers to enumerate all components, including transitive dependencies pulled in by top-level libraries.
2. Component identification and normalization — Each component is matched against a package coordinate system (group ID, artifact ID, version) and normalized to a canonical identifier such as a CPE (Common Platform Enumeration) string or PURL (Package URL).
3. Vulnerability database lookup — Normalized identifiers are queried against NVD CVE data, the OSV database, and any proprietary advisory feeds. Matches return CVE IDs, CVSS base scores, and patch availability status.
4. License classification — SPDX identifiers are resolved for each component. License risk is scored against the organization's policy (e.g., copyleft licenses flagged for proprietary products).
5. Policy evaluation and gating — Results are evaluated against defined security policies — often expressed as severity thresholds, age limits on unpatched vulnerabilities, or explicit license denylists — producing a pass/fail disposition that can block CI/CD pipeline progression.
6. SBOM generation — Output is serialized in SPDX or CycloneDX format, the two dominant SBOM standards recognized by CISA and NIST.

Integration with application security in CI/CD pipelines and supply chain security for software is standard practice in mature programs, with SCA scanners embedded at the pull-request, build, and container-registry stages.

Common scenarios

Enterprise application development — Development teams consuming open-source packages via npm, Maven, or PyPI run SCA at every build to surface newly disclosed CVEs in existing dependencies. A library with no known vulnerabilities at merge time may acquire a critical CVE within weeks of release.

Container and cloud-native workloads — SCA is applied to base images and application layers in container registries. Tools scan both OS-level packages (rpm, dpkg) and language-level dependencies. This use case intersects directly with container and Kubernetes application security.

M&A due diligence — Acquiring organizations conduct SCA sweeps across target codebases to quantify open-source license exposure and outstanding vulnerability debt before transaction close.

Regulated industry compliance — PCI DSS v4.0 Requirement 6.3.2 explicitly mandates an inventory of bespoke and custom software, with open-source components treated as in-scope. HIPAA application security compliance programs use SCA findings as evidence in risk analysis documentation required under 45 CFR §164.308(a)(1).

Government and federal procurement — EO 14028 and subsequent CISA guidance require SCA-derived SBOMs for software sold to federal agencies, making SCA output a contractual deliverable rather than an internal quality control mechanism.

Decision boundaries

SCA is frequently confused with adjacent testing disciplines. The distinctions are operationally significant:

SCA vs. Static Application Security Testing (SAST) — SAST analyzes first-party source code for logic flaws, injection vulnerabilities, and insecure patterns. SCA does not inspect first-party code; it audits the dependency graph. A codebase can be SAST-clean and carry high-severity SCA findings simultaneously.

SCA vs. Dynamic Application Security Testing (DAST) — DAST probes a running application via HTTP to detect behavioral vulnerabilities. SCA requires no running application; it operates on static artifacts (manifests, binaries, images). DAST cannot detect which open-source library version is deployed; SCA cannot detect runtime configuration flaws.

SCA vs. Secure Code Review — Manual secure code review focuses on human assessment of logic and design; SCA is automated and scales across dependency graphs of hundreds or thousands of components that no human reviewer could assess manually.

The reachability dimension creates a sub-classification within SCA itself: manifest-level SCA matches component versions to CVE records without regard to whether vulnerable functions are called, producing higher false-positive rates; reachability-aware SCA traces call graphs to confirm exploitation paths exist before raising alerts, reducing noise at the cost of deeper analysis time.

Organizations building formal appsec programs typically position SCA as a mandatory gate in the build pipeline, complemented by third-party and open-source risk management processes at the procurement and governance level.

References

• NIST SP 800-218: Secure Software Development Framework (SSDF)
• NIST National Vulnerability Database (NVD)
• CISA: Securing the Open Source Software Ecosystem
• CISA: Software Bill of Materials (SBOM)
• Executive Order 14028 on Improving the Nation's Cybersecurity — White House
• SPDX Specification — Linux Foundation
• CycloneDX SBOM Standard — OWASP
• OSV — Open Source Vulnerability Database
• GitHub Advisory Database
• PCI DSS v4.0 — PCI Security Standards Council
• Synopsys Open Source Security and Risk Analysis (OSSRA) Report