Software Composition Analysis (SCA) is a set of tools that provides users visibility into their open source inventory. SCA tools generate an inventory report of all open source components in the products. The more popular an open source component is, the greater the value to hackers of exploiting a vulnerability found in it. Once all the open source components have been identified, SCA tools provide information on each component. Basic information includes open source license and whether there is a security vulnerability associated with that component. Leading tools are able to automate the entire process of open source selection, approval and tracking, saving developers precious time, and increasing their accuracy.
SCA tools provide essential security for the software comprised in part of open source components. The tools identify which open source components a corporation is using in its source code and match these components with community databases, advisories, and issue trackers to bring to the surface any vulnerabilities that may exist in the source code. It protects Java, JavaScript, and .NET applications from risk by identifying known vulnerabilities in open source libraries used by the applications. Additionally, the platform provides unified management of users, policies, mitigations, and integrations.