Software Composition Analysis (SCA) 

Hello!! Application Security Analyst @Qualys I am Pratiksha Dhone 

Software Composition Analysis is the process of automating the visibility into open source software use for risk management, security and license compliance. Introduction 

Component Involve in SCA Component Analysis Common Risk Factor Content Tools and Technique used to conduct SCA Use of Software Bill of Material in SCA 

Application consist of 

Component Analysis is the process of identifying potential areas of risk from the use of third-party and open-source software and hardware components. Component Analysis 

Common Risk Factors - Component Inventory - Component Age - Outdated Components - Known Vulnerability - Component Type - Component Function - Component Quantity - Repository Trust - Pedigree - License - Inherited Risk - Project Health 

Use of Software Bill of Material in SCA • CPE Product Dictionary Version 2.3: cpe:2.3:a:pivotal_software:spring_framework:3.0.0:-:*:*:*:*:*:* • Package URL specification scheme:type/namespace/name@version?qualifiers#subpath 

Jenkins Tools and Technique used to conduct SCA Maven/Gra dle Dependency Track Dependency Check IntelliJ IDEA 

How SCA Work 

Steps Involved in SCA 

No content

No content

No content

No content

No content

No content

No content

No content

No content

https://owasp.org/www-community/Component_Analysis Dependency Check: https://jeremylong.github.io/DependencyCheck/ Credits & References Dependency Track: https://dependencytrack.org/ https://dzone.com/articles/the-benefits-of-software-composition-analysis Jenkins: https://jenkins.io/ https://www.youtube.com/watch?v=wuqk-J1aFeQ https://github.com/security-prince/MavenDependencyCheck Big thanks to Ishaq Mohammed 

Any questions? Thanks!