IT Central Station is now PeerSpot: Here's why

Top 8 Software Composition Analysis (SCA)

SnykGitLabMendSonatype Nexus LifecycleVeracode Software Composition AnalysisBlack DuckFOSSASonatype Nexus Firewall
  1. leader badge
    The most valuable feature of Snyk is the software composition analysis.The advantage of Snyk is that Snyk automatically creates a pull request for all the findings that match or are classified according to the policy that we create. So, once we review the PR within Snyk and we approve the PR, Snyk auto-fixes the issue, which is quite interesting and which isn't there in any other product out there. So, Snyk is a step ahead in this particular area.
  2. leader badge
    We use the Git repository and tagging feature. We are a product-based company and use this solution to move to a forward or backward tag.GitLab is being used as a repository for our codebase and it is a one stop DevOps tool we use in our team.
  3. Buyer's Guide
    Software Composition Analysis (SCA)
    July 2022
    Find out what your peers are saying about Snyk, GitLab, Mend and others in Software Composition Analysis (SCA). Updated: July 2022.
    620,987 professionals have used our research since 2012.
  4. leader badge
    I am the organizational deployment administrator for this tool, and I, along with other users in our company, especially the security team, appreciate the solution for several reasons. The UI is excellent, and scanning for security threats fits well into our workflow.
  5. leader badge
    Vulnerability detection accuracy is good.Lifecycle lets developers see any vulnerabilities or AGPL license issues associated with code in the early stages of development. The nice thing is that it's built into the ID so that they can see all versions of a specific code.
  6. It has given our management a view into issues with all of our product lines. We have three products and all of them were scanned. As a result, the project lead for each product has taken measures to improve things.
  7. The most valuable feature of Black Duck is the seamless integration to scan our Docker binary files, it provides us all open vulnerabilities, and it ensures a reference point from where it finds the vulnerability is up to date. For example, if there is any new vulnerability found, they are immediately available in the Black Duck. There is no delay in finding the vulnerabilities, they are called out in our code immediately.
  8. report
    Use our free recommendation engine to learn which Software Composition Analysis (SCA) solutions are best for your needs.
    620,987 professionals have used our research since 2012.
  9. One of the things that I really like about FOSSA is that it allows you to go very granular. For example, if there's a package that's been flagged because it's subject to a license that may be conflicts with or raises a concern with one of the policies that I've set, then FOSSA enables you to go really granular into that package to see which aspects of the package are subject to which licenses. We can ultimately determine with our engineering teams if we really need this part of the package or not. If it's raising this flag, we can make really actionable decisions at a very micro level to enable the build to keep pushing forward.
  10. Another thing that I like about Sonatype is that if you download something today, and five days from today it becomes vulnerable, it will notify you.

Advice From The Community

Read answers to top Software Composition Analysis (SCA) questions. 620,987 professionals have gotten help from our community of experts.
Rony_Sklar - PeerSpot reviewer
Rony_Sklar
PeerSpot (formerly IT Central Station)

What are the different types of tools that should be used together in DevSecOps?

What are the specific tools that you like to use when working on your DevSecOps pipeline? 

What is essential, and what is a nice-to-have? 

Jeremy Vaughan - PeerSpot reviewer
Jeremy VaughanDepends on budget and the larger approach to security, compliance, and risk… more »
6 Answers

Software Composition Analysis (SCA) Articles

Netanya Carmi - PeerSpot reviewer
Netanya Carmi
Content Manager
PeerSpot (formerly IT Central Station)
Apr 19 2022
PeerSpot’s crowdsourced user review platform helps technology decision-makers around the world to better connect with peers and other independent experts who provide advice without vendor bias. Our users have ranked these solutions according to their valuable features, and discuss which features...
Read More »
Netanya Carmi - PeerSpot reviewer
Netanya Carmi
Content Manager
PeerSpot (formerly IT Central Station)
Apr 11 2022
The world of technology is constantly undergoing both evolutions and revolutions. It is always difficult to know just what kinds of changes and innovations each year is going to bring. The fields of Development and Operations (DevOps) and Development, Security, and Operations (DevSecOps) are two ...
Read More »

Software Composition Analysis (SCA) Topics

How does software composition analysis work?

SCA tools inspect source code, package managers, binary files, manifest files, and container images, among other things. They then compile the identified open source into a bill of materials (BOM). The BOM gets compared against a variety of databases, one of which is the U.S. government’s National Vulnerability Database (NVD), to analyze overall code quality and to discover any licenses associated with the code. The databases contain information regarding common and known vulnerabilities, and by comparing the BOM against them, a security team can identify critical legal or security vulnerabilities which they can then go on to fix.

Why is software composition analysis important?

More than 90% of any code base comes from an external supplier. That means that your development team actually codes less than 10% of any app it builds. Due to the sheer amount of open source code out there, it is no longer possible for humans to track it manually. Development is also happening faster than ever and security solutions need to be able to keep up. SCA helps you to understand what components and versions of open source are being used, to identify what security vulnerabilities affect those components, and to figure out how to remediate them.

SCA offers speed, security, and reliability, which are all essential factors in application security testing.

What are the benefits of software composition analysis?

The benefits of SCA include:

  1. Automatic tracking of open source components, ensuring visibility into all kinds of possible vulnerabilities that cannot be found by other methods.

  2. Provides a full accounting of the open source being used.

  3. Continuous monitoring for new vulnerabilities.

4. Automated and prioritized vulnerabilities management and remediation.

5. License risk management, which helps you to lower the risks associated with compliance and licenses.

What is an SCA tool?

SCA (software composition analysis) is a segment of the AST (application security testing) tool market. SCA tools automatically scan an app’s code base, as well as related containers and registries, in order to identify any open source components and their security vulnerabilities as well as their license compliance data. They then find components with known, documented vulnerabilities and advise if the components need to be updated or have patches available. In addition to just providing visibility, some SCA tools also help to remediate open source vulnerabilities. SCA tools can discover all related components, their supporting libraries, and their direct and indirect dependencies. The scanning process generates a BOM (bill of materials), which provides an inventory of all of the project’s software assets. The tracking of open source components used by your apps is critical from both a productivity standpoint and a security standpoint.

As opposed to other application security tools, SCA tools allow the secure risk management of open source software use throughout the software supply chain.

What is SCA testing?

SCA (software composition analysis) testing is a kind of application security testing (AST). The purpose of AST is to identify vulnerabilities in source code and security weaknesses in order to make applications more secure. SCA is a new technology that scans applications to identify components of open source code. In addition to security, SCA also evaluates code quality and license compliance.

Buyer's Guide
Software Composition Analysis (SCA)
July 2022
Find out what your peers are saying about Snyk, GitLab, Mend and others in Software Composition Analysis (SCA). Updated: July 2022.
620,987 professionals have used our research since 2012.