Software Composition Analysis¶
Software Composition Analysis (SCA) is a process or set of tools that inspects software components and their dependencies to identify security and compliance concerns.
Characteristics¶
Licenses¶
The licenses of third party dependencies are identified. This supports organizations enforcing compliance around license exposure on third party dependencies.
Dependencies¶
Dependencies often form complex graphs and the SCA process/tools build a complete picture of this graph. The dependency graph ensures that a complete picture around licence and vulnerability exposure is understood.
Vulnerabilities¶
Vulnerabilities for the software components and their dependencies are identified. The dependency graph and Common Vulnerabilities and Exposure (CVE) databases are used by the SCA process/tools to identify risks and provide mitigation options.
Software Bill of Materials¶
A Software Bill of Materials (SBOM) can be produced from the dependency graph to provide a detailed list of the dependencies and where they're used. The SBOM may be utilized to assess security vulnerability exposure on an ongoing basis.
Examples¶
Licenses, Dependencies, and Vulnerabilities¶
- The GitHub Dependency Graph creates a dependency graph for code stored within GitHub. For each of the dependencies, license and vulnerability information is made available.
Software Bill of Materials¶
- The "Improve release artifact and workload integrity in Kubernetes via a secure software supply chain" solution includes an implementation that demonstrates how to create an SBOM when building a software release. The SBOM is used in conjunction with a policy gate to ensure workloads deployed to an AKS cluster meet security and compliance requirements.