Home>Blog>SCA - Dependency Scanning
DEPENDENCY SECURITY

Software Composition Analysis

Dependency and third-party library security analysis - SBOM, CVE scanning, Snyk, Dependabot, and protection against supply chain attacks.

What is Software Composition Analysis?

Software Composition Analysis (SCA) is an automated process for identifying and analyzing open-source components, libraries, and dependencies in your application. SCA tools detect known security vulnerabilities, license risks, and outdated dependency versions, which is critical at a time when up to 90% of modern applications contain third-party code.

90%
of applications use open-source code
70%
of vulnerabilities originate from dependencies
200+
average number of dependencies per project

Why is SCA Critical?

Modern applications are built on dozens to hundreds of third-party libraries. Each dependency represents a potential security risk:

  • Known vulnerabilities (CVE): Publicly known security flaws in open-source libraries
  • Transitive dependencies: Dependencies of your dependencies that often go unnoticed
  • Outdated versions: Libraries that have not been updated and contain unpatched bugs
  • License risks: Conflicting or incompatible open-source component licenses
  • Supply chain attacks: Compromised libraries deliberately targeted by attackers

Notable Dependency Vulnerability Cases

  • Log4Shell (CVE-2021-44228): Critical RCE vulnerability in the Log4j library, affecting millions of applications
  • Heartbleed (CVE-2014-0160): OpenSSL vulnerability enabling theft of sensitive data
  • Struts 2 (CVE-2017-5638): RCE vulnerability that led to the Equifax breach (147M records)
  • event-stream npm package: Supply chain attack with a bitcoin miner injected into a popular library

What Do SCA Tools Detect?

1. Security Vulnerabilities

SCA tools scan your dependencies against known vulnerability databases (CVE, NVD, GitHub Advisory Database, Snyk Vulnerability DB):

  • Identification of CVE numbers and their severity (Critical, High, Medium, Low)
  • Availability of fixes and recommended upgrade versions
  • Exploitability of the vulnerability (does an active exploit exist?)
  • CVSS score and attack vector descriptions

2. License Compliance

Analysis of open-source library licenses and detection of potential conflicts:

  • GPL, MIT, Apache, BSD, and other licenses
  • License compatibility with your project
  • Copyleft requirements and their implications
  • Commercial risks when using certain licenses

3. Outdated Dependencies

Identification of libraries that are outdated or no longer maintained:

  • Versions with available updates
  • End-of-life (EOL) libraries without support
  • Breaking changes when upgrading to newer versions

4. Software Bill of Materials (SBOM)

A complete inventory of all components in your application:

  • Direct dependencies (declared in package.json, pom.xml, etc.)
  • Transitive dependencies (dependencies of dependencies)
  • Version, license, and origin of each component
  • Dependency graphs and relationships between libraries

Popular SCA Tools

Cloud / Commercial

Snyk Open Source

One of the most popular cloud-based SCA tools with an extensive vulnerability database and easy CI/CD integration.

  • Automatic PRs with fixes
  • Vulnerability prioritization by exploitability
  • Support for npm, Maven, pip, RubyGems, NuGet
  • IDE integration (VS Code, IntelliJ)
  • Free tier for open-source projects
Cloud / Commercial

Mend (WhiteSource)

Enterprise-grade SCA solution focused on license compliance and comprehensive reporting.

  • Real-time alerting on new vulnerabilities
  • Advanced license analysis
  • Policy enforcement
  • Integration with Jira, ServiceNow
Open Source

OWASP Dependency-Check

Open-source tool from OWASP for detecting known vulnerabilities in project dependencies.

  • Support for Java, .NET, Ruby, Node.js, Python
  • CLI, Maven plugin, Gradle plugin, Jenkins plugin
  • Integration with NVD (National Vulnerability Database)
  • HTML/XML/JSON reporting
  • Completely free and open-source
GitHub Native

GitHub Dependabot

Native GitHub tool for automatic security updates of dependencies.

  • Automatic Pull Requests with fixes
  • Dependabot Security Alerts
  • Version updates for all ecosystems
  • Free for all GitHub repositories
  • Integration with GitHub Security Advisory
CLI Tool

npm audit / yarn audit

Built-in tools in npm and Yarn for auditing Node.js dependencies.

  • Instant package.json analysis
  • Automatic fixes via npm audit fix
  • Severity levels (low, moderate, high, critical)
  • Integration with the npm registry database
Enterprise

JFrog Xray

Universal artifact analysis for comprehensive CI/CD pipeline security.

  • Scanning Docker images, Maven, npm, PyPI
  • Integration with JFrog Artifactory
  • Policy-based artifact blocking
  • Deep scan of binary artifacts

Practical Example: npm audit

The simplest way to get started with SCA in Node.js projects:

# Run dependency audit npm audit # Output shows found vulnerabilities: # found 3 vulnerabilities (1 moderate, 2 high) # Automatically fix vulnerabilities npm audit fix # Generate a detailed report npm audit --json > audit-report.json # Audit production dependencies only npm audit --production # Set audit level in CI/CD npm audit --audit-level=high # If high or critical exists, the command fails (exit code 1)

Example npm audit output:

┌───────────────┬──────────────────────────────────────────────────┐ │ Moderate │ Regular Expression Denial of Service │ ├───────────────┼──────────────────────────────────────────────────┤ │ Package │ minimatch │ ├───────────────┼──────────────────────────────────────────────────┤ │ Patched in │ >=3.0.5 │ ├───────────────┼──────────────────────────────────────────────────┤ │ Dependency of │ jest [dev] │ ├───────────────┼──────────────────────────────────────────────────┤ │ Path │ jest > @jest/core > micromatch > minimatch │ ├───────────────┼──────────────────────────────────────────────────┤ │ More info │ https://npmjs.com/advisories/1673 │ └───────────────┴──────────────────────────────────────────────────┘

SBOM - Software Bill of Materials

An SBOM is a formal list of all components, libraries, and modules in your software. It is like an "ingredients list" for your application.

Why is SBOM Important?

  • Transparency: Visibility into all components of your application
  • Rapid vulnerability response: Instant identification of whether you are affected (e.g., Log4Shell)
  • Compliance: Regulatory requirements (e.g., US Executive Order 14028)
  • Supply chain security: Detection of unauthorized or malicious components
  • License audit: Overview of all licenses in use

SBOM Standards

  • SPDX (Software Package Data Exchange): ISO/IEC 5962:2021 standard
  • CycloneDX: OWASP standard focused on security
  • SWID (Software Identification Tags): ISO/IEC 19770-2 standard

Generating SBOM with CycloneDX

# Install CycloneDX CLI for Node.js npm install -g @cyclonedx/cyclonedx-npm # Generate SBOM in CycloneDX format cyclonedx-npm --output-file sbom.json # The SBOM contains: # - All dependencies (direct and transitive) # - Versions and licenses # - Hashes (checksums) for integrity # - CPE identifiers for CVE lookup # CI/CD integration cyclonedx-npm --output-file sbom.xml --output-format XML # Store the SBOM as an artifact for audit trail

Best Practice: SBOM with Every Release

Generate and store an SBOM with every production release. This enables retroactive analysis if a new vulnerability is discovered in a library you were using in the past.

Integrating SCA into a CI/CD Pipeline

SCA should be integrated into every phase of the development lifecycle:

1. Pre-commit / IDE Integration

  • Snyk extension for VS Code
  • GitHub Copilot Security alerts
  • Pre-commit hooks with dependency checks

2. CI/CD Pipeline (Continuous Integration)

# GitHub Actions example name: Security Scan on: [push, pull_request] jobs: dependency-check: runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 - name: Run npm audit run: npm audit --audit-level=high - name: Run Snyk uses: snyk/actions/node@master env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} with: args: --severity-threshold=high - name: Generate SBOM run: | npm install -g @cyclonedx/cyclonedx-npm cyclonedx-npm --output-file sbom.json - name: Upload SBOM artifact uses: actions/upload-artifact@v3 with: name: sbom path: sbom.json

3. GitLab CI/CD Example

dependency_scanning: stage: test image: node:18 script: # npm audit - npm audit --audit-level=moderate || true # OWASP Dependency-Check - wget https://github.com/jeremylong/DependencyCheck/releases/download/v8.0.0/dependency-check-8.0.0-release.zip - unzip dependency-check-8.0.0-release.zip - ./dependency-check/bin/dependency-check.sh --project "MyApp" --scan . --format HTML --format JSON # Snyk - npm install -g snyk - snyk auth $SNYK_TOKEN - snyk test --json > snyk-report.json artifacts: reports: dependency_scanning: snyk-report.json paths: - dependency-check-report.html

4. Continuous Monitoring

  • Dependabot: Automatic PRs with security fixes
  • Snyk Monitor: Continuous monitoring of production dependencies
  • Scheduled scans: Weekly/daily rescans against new CVE databases

SCA Best Practices

Recommended Practices

  • Automate scanning: Every commit and PR should go through SCA checks
  • Set severity thresholds: Block builds with critical/high vulnerabilities
  • Use lockfiles: package-lock.json, yarn.lock, Pipfile.lock for reproducible builds
  • Update regularly: Do not wait for critical CVEs, update preventively
  • Minimize dependencies: Fewer dependencies = smaller attack surface
  • Verify integrity: Use checksums and signed packages
  • Monitor production: Runtime monitoring for supply chain attacks
  • Create SBOMs: For every release and retain the history
  • Vendor security: Check a library's security track record before adding it
  • Private registry: Consider an internal Artifactory/Nexus for artifact control

Common SCA Mistakes

  • Ignoring false positives: Over time you will lose trust in the tool
  • No remediation process: SCA without action is pointless
  • Scanning only production deps: DevDependencies can also contain vulnerabilities
  • Automatic updates without tests: Breaking changes can break your application
  • Forgetting transitive dependencies: 70%+ of dependencies are transitive

SCA and Other DevSecOps Tools

SCA is just one layer of security testing. For comprehensive security, combine it with:

Tool What It Tests When to Use
SCA Vulnerabilities in dependencies Every commit, before adding a new dependency
SAST Vulnerabilities in your own code During development, in CI/CD
DAST Runtime vulnerabilities in a running application Staging/QA environment before production
Container Scanning Vulnerabilities in base images and layers Before pushing to registry, at runtime
IaC Security Misconfigurations in Terraform/CloudFormation Before applying infrastructure changes

Related Topics

SAST - Static Analysis

Testing the security of your own code before compilation. Complements SCA, which focuses on third-party dependencies.

DAST - Dynamic Testing

Runtime testing of a running application. Verifies whether vulnerabilities in your code and dependencies are exploitable.

Container Security

Securing Docker images and Kubernetes. Includes SCA scanning of base images and application dependencies in containers.