Software Composition Analysis (SCA) is term that is used to classify tools and services that helps organisations build an inventory of open source software components, libraries and frameworks that developers use to build an application. The inventory will profile each of these components' attributes and should include:

• Licensing and copyright information
  • What is the licence of the components and libraries used in software development e.g. AGPLv3 or Apache 2.0 
• Security vulnerability information
  • Are there any known vulnerabilities in the components. and libraries used in software development e.g. published on the National Vulnerability Database (NVD)
• Operational information
  • How well supported is the components and libraries used in software development? What is the commit history? Are there later versions of the component?

Most discussions related to Software Composition Analysis revolve around tools that scan code. Indeed the market for Software Composition Analysis tools is growing  There is now a Forrester Wave™ for Software Composition Analysis published in 2017.

Tools alone will not deliver an end to end solution for an organsisation. Whether the driver for the project is license compliance, security focussed such as DevSecOps or both, the data still needs interpretation. Mis-interpretation can create more confusion.

For instance, Software Composition Analysis tools generally flag copyleft licences such as the GNU GPL as high risk which is fundamentally flawed assumption. There are many business models where copyleft is the best model so therefore not a risk to an organisation.

We use data from Software Composition Analysis tools to provide data into our services such as our Continuous Compliance where we would integrate a Software Composition Analysis tool into an organisations devops or SecDevOps process.

In our OpenChain conformance service we use SCA tools to provide the data, artefacts and reporting requirements for full OpenChain conformance . These include a Bill of Materials, license notices and if possible SPDX identifiers.

If an organisation has invested in SCA tools, we will endeavour to leverage the data from that technology. If there is no SCA tool we help them define criteria for the best tool with the best value for the solution they are looking to implement.

For UK public sector organisations the Cloud Economics Assessment is available throught the G-Cloud 11 procurement framework. Find out more at link...