Top 8 Software Composition Analysis (SCA)

GitLabSnykSonatype Nexus LifecycleMendBlack DuckVeracode Software Composition AnalysisFOSSASonatype Nexus Firewall
  1. leader badge
    The solution has an established roadmap that lays out its plans for upgrades over the next two to three years. I have found the most valuable feature is security control. I also like the branching and cloning software.
  2. leader badge
    The most valuable features of Snyk are vulnerability scanning and automation. The automation the solution brings around vulnerability scanning is useful.
  3. Buyer's Guide
    Software Composition Analysis (SCA)
    February 2023
    Find out what your peers are saying about GitLab, Snyk, Sonatype and others in Software Composition Analysis (SCA). Updated: February 2023.
    685,707 professionals have used our research since 2012.
  4. leader badge
    The IQ server and repo are the most valuable.Due to the sheer amount of vulnerabilities and the fact that my company is still working on eliminating all vulnerabilities, it's still too early for me to say what I like most about Sonatype Nexus Lifecycle. Still, one of the best functions of the product is the guidance it gives in finding which components or applications have vulnerabilities. For example, my team had a vulnerability or a CVE connected to Apache last week. My team couldn't find which applications had the vulnerability initially, but using Sonatype Nexus Lifecycle helped. My team deployed new versions on that same day and successfully eliminated the vulnerabilities, so right now, the best feature of Sonatype Nexus Lifecycle is finding which applications have vulnerabilities.
  5. leader badge
    There are multiple different integrations there. We use Mend for CI/CD that goes through Azure as well. It works seamlessly. We never have any issues with it.
  6. The solution is very good at scanning and evaluating open source software.The most valuable feature of Black Duck is the seamless integration to scan our Docker binary files, it provides us all open vulnerabilities, and it ensures a reference point from where it finds the vulnerability is up to date. For example, if there is any new vulnerability found, they are immediately available in the Black Duck. There is no delay in finding the vulnerabilities, they are called out in our code immediately.
  7. It has given our management a view into issues with all of our product lines. We have three products and all of them were scanned. As a result, the project lead for each product has taken measures to improve things.
  8. report
    Use our free recommendation engine to learn which Software Composition Analysis (SCA) solutions are best for your needs.
    685,707 professionals have used our research since 2012.
  9. I am impressed with the tool’s seamless integration and quick results.One of the things that I really like about FOSSA is that it allows you to go very granular. For example, if there's a package that's been flagged because it's subject to a license that may be conflicts with or raises a concern with one of the policies that I've set, then FOSSA enables you to go really granular into that package to see which aspects of the package are subject to which licenses. We can ultimately determine with our engineering teams if we really need this part of the package or not. If it's raising this flag, we can make really actionable decisions at a very micro level to enable the build to keep pushing forward.
  10. Another thing that I like about Sonatype is that if you download something today, and five days from today it becomes vulnerable, it will notify you.

Advice From The Community

Read answers to top Software Composition Analysis (SCA) questions. 685,707 professionals have gotten help from our community of experts.
Netanya Carmi - PeerSpot reviewer
Netanya Carmi
Content Manager at PeerSpot (formerly IT Central Station)
Rony_Sklar - PeerSpot reviewer
Community Manager at a tech services company with 51-200 employees

What are the different types of tools that should be used together in DevSecOps?

What are the specific tools that you like to use when working on your DevSecOps pipeline? 

What is essential, and what is a nice-to-have? 

Rama Susarla - PeerSpot reviewer
Rama SusarlaIt depends on the budget, business and technology portfolio of the enterprise… more »
6 Answers

Software Composition Analysis (SCA) Articles

Netanya Carmi - PeerSpot reviewer
Netanya Carmi
Content Manager at PeerSpot (formerly IT Central Station)
PeerSpot’s crowdsourced user review platform helps technology decision-makers around the world to better connect with peers and other independent experts who provide advice without vendor bias. Our users have ranked these solutions according to their valuable features, and discuss which features...
Read More »
Netanya Carmi - PeerSpot reviewer
Netanya Carmi
Content Manager at PeerSpot (formerly IT Central Station)
The world of technology is constantly undergoing both evolutions and revolutions. It is always difficult to know just what kinds of changes and innovations each year is going to bring. The fields of Development and Operations (DevOps) and Development, Security, and Operations (DevSecOps) are two ...
Read More »

Software Composition Analysis (SCA) Topics

How does software composition analysis work?

SCA tools inspect source code, package managers, binary files, manifest files, and container images, among other things. They then compile the identified open source into a bill of materials (BOM). The BOM gets compared against a variety of databases, one of which is the U.S. government’s National Vulnerability Database (NVD), to analyze overall code quality and to discover any licenses associated with the code. The databases contain information regarding common and known vulnerabilities, and by comparing the BOM against them, a security team can identify critical legal or security vulnerabilities which they can then go on to fix.

Why is software composition analysis important?

More than 90% of any code base comes from an external supplier. That means that your development team actually codes less than 10% of any app it builds. Due to the sheer amount of open source code out there, it is no longer possible for humans to track it manually. Development is also happening faster than ever and security solutions need to be able to keep up. SCA helps you to understand what components and versions of open source are being used, to identify what security vulnerabilities affect those components, and to figure out how to remediate them.

SCA offers speed, security, and reliability, which are all essential factors in application security testing.

What are the benefits of software composition analysis?

The benefits of SCA include:

  1. Automatic tracking of open source components, ensuring visibility into all kinds of possible vulnerabilities that cannot be found by other methods.

  2. Provides a full accounting of the open source being used.

  3. Continuous monitoring for new vulnerabilities.

4. Automated and prioritized vulnerabilities management and remediation.

5. License risk management, which helps you to lower the risks associated with compliance and licenses.

What is an SCA tool?

SCA (software composition analysis) is a segment of the AST (application security testing) tool market. SCA tools automatically scan an app’s code base, as well as related containers and registries, in order to identify any open source components and their security vulnerabilities as well as their license compliance data. They then find components with known, documented vulnerabilities and advise if the components need to be updated or have patches available. In addition to just providing visibility, some SCA tools also help to remediate open source vulnerabilities. SCA tools can discover all related components, their supporting libraries, and their direct and indirect dependencies. The scanning process generates a BOM (bill of materials), which provides an inventory of all of the project’s software assets. The tracking of open source components used by your apps is critical from both a productivity standpoint and a security standpoint.

As opposed to other application security tools, SCA tools allow the secure risk management of open source software use throughout the software supply chain.

What is SCA testing?

SCA (software composition analysis) testing is a kind of application security testing (AST). The purpose of AST is to identify vulnerabilities in source code and security weaknesses in order to make applications more secure. SCA is a new technology that scans applications to identify components of open source code. In addition to security, SCA also evaluates code quality and license compliance.

Buyer's Guide
Software Composition Analysis (SCA)
February 2023
Find out what your peers are saying about GitLab, Snyk, Sonatype and others in Software Composition Analysis (SCA). Updated: February 2023.
685,707 professionals have used our research since 2012.