SCA Scans
Software Composition Analysis (SCA) is a critical part of application security focused on identifying vulnerabilities in third-party libraries and dependencies used throughout a codebase. Modern software development heavily relies on open-source components, which can introduce risks if not properly monitored. SCA tools help teams detect known vulnerabilities, license issues, and outdated components, ensuring that software remains secure and compliant.
When selecting an SCA tool, it's recommended to choose one that can output results using the OpenSSF OSV format. This standardized schema simplifies integration with other tools and platforms, improving automation and reporting across the vulnerability management lifecycle.
A common mistake in SCA practices is excluding vulnerabilities found in development dependencies under the assumption that they don't affect production environments. However, this approach can expose developer machines to serious threats. For example, the Wrangler vulnerability demonstrated how even non-production dependencies can be exploited to compromise local environments.
To ensure comprehensive security coverage, it's important to assess and address vulnerabilities across all dependencies, production and development alike.
Outcome
- SCA scans are executed on every contribution to the source code management (SCM) system and on a regular schedule.
- All findings are integrated into the vulnerability management program for centralized tracking and remediation.
- Vulnerability severity and priority are recalculated based on the project's criticality and risk profile.
- Developers receive immediate feedback on findings, ideally during pull request (PR) reviews within the SCM platform.
- Aim to use EPSS scores to help prioritize vulnerabilities based on their likelihood of exploitation in the wild.
- Implement reachability analysis to determine whether the vulnerable code is actually used in the application, helping reduce false positives and focus on actionable issues.
Metrics
Metrics for this topic are included in Vulnerability Management
Tools & Resources
- Google OSV-Scanner Client tool for OSV (Free)
- OWASP DepScan Project to find vulnerabilities in dependencies (free)
- Renovate Tool for dependency updates (Free)
- Devs.dev Insights about open source projects, includes OpenSSF scorecards (free)
- OSV Vulnerability database (Free)
- Dependabot Open source tool to find vulnerabilities in dependencies (Free)
- OpenSSF Scorecards Database with scorecards for open source (free)
- OWASP Dependency Track Tool to manage dependencies (Free)
- Datadog's malicious-software-packages-dataset (Free)
- Snyk SCA (Free/Paid)