Software Composition Analysis (SCA) — DevSecOps Interactive Learning

What is SCA?

SCA tools build a bill of materials (BOM) of open-source and third-party dependencies (direct and transitive), then match versions against vulnerability databases. Advanced SCA also flags license risk, outdated packages, and malware in registries.

Why open-source dependencies are a risk

Transitive depth: A single import can pull dozens of nested libraries.
CVE velocity: New disclosures affect old pinned versions overnight.
Supply chain: Typosquatting, compromised maintainers, hijacked packages.
Shadow IT: Copied snippets and vendored code bypass package manifests if not tracked.

Tools

Tool	Scope	Typical use
OWASP Dependency-Check	Multi-ecosystem CLI	CI job producing SARIF/HTML reports
Snyk	SCA + container + IaC	PR fixes, policy by severity
npm audit	Node/npm	Local and CI `npm audit --production`
OSV / GitHub Dependabot	Git-native	Automated version bump PRs

CVE databases (and friends)

Source	Role
CVE dictionary	Identifiers + descriptions (MITRE)
NVD	Enriched CVE records, CVSS scores, CPE matching
GHSA	GitHub Security Advisory database
OSV	Open-source vuln DB with ecosystem-specific ranges

Example: npm audit output (illustrative)

# npm audit --json (excerpt)
{
  "vulnerabilities": {
    "lodash": {
      "name": "lodash",
      "severity": "high",
      "via": [{ "source": 1234567, "name": "lodash", "range": "<4.17.21" }],
      "effects": [],
      "range": "<4.17.21",
      "nodes": ["node_modules/lodash"],
      "fixAvailable": { "name": "lodash", "version": "4.17.21" }
    }
  },
  "metadata": { "vulnerabilities": { "high": 1 } }
}

Remediation strategies

Upgrade path

Patch to fixed version in lockfile.
Run tests + smoke scan; watch breaking changes.

When upgrade is hard

Isolate dependency behind a wrapper service.
Compensating controls (WAF rules, feature flags off).
Time-boxed exception with owner + expiry.

SBOM Export CycloneDX/SPDX from CI so operations and customers can consume the same inventory you scan.