Dependency & Container Security
Software Composition Analysis (SCA)
3 min read
Modern applications are built on mountains of open-source dependencies. A typical Node.js project has 500+ transitive dependencies. Each one is a potential vulnerability.
The Supply Chain Risk
Your App (100% your code)
└── express (NPM package)
└── body-parser
└── raw-body
└── iconv-lite
└── safer-buffer ← Vulnerability here affects your app
Key statistics:
- 96% of codebases contain open-source components
- 84% of codebases have at least one vulnerability
- Average project has 500+ dependencies (direct + transitive)
- Log4Shell (CVE-2021-44228) affected 35,000+ packages
What SCA Does
Software Composition Analysis scans your dependencies to find:
| Finding Type | Example | Risk |
|---|---|---|
| Known Vulnerabilities (CVEs) | Log4j remote code execution | Critical |
| Outdated Dependencies | React 17.x (current: 19.x) | Medium |
| License Compliance | GPL-3.0 in commercial project | Legal |
| Malicious Packages | ua-parser-js compromise | Critical |
| Abandoned Projects | No updates in 2+ years | Medium |
How SCA Works
┌─────────────┐ ┌──────────────┐ ┌─────────────┐
│ Manifest │ ──▶ │ SCA Engine │ ──▶ │ Report │
│ package.json│ │ │ │ │
│ Pipfile │ │ ┌──────────┐ │ │ CVE-2024-XX │
│ go.mod │ │ │ Vuln DB │ │ │ License: GPL│
│ Cargo.toml │ │ └──────────┘ │ │ Outdated: 5 │
└─────────────┘ └──────────────┘ └─────────────┘
SCA tools:
- Parse your dependency manifest files
- Resolve the full dependency tree (including transitive)
- Query vulnerability databases (NVD, OSV, vendor DBs)
- Report findings with remediation advice
Vulnerability Databases
| Database | Coverage | Access |
|---|---|---|
| NVD (NIST) | Comprehensive CVEs | Public |
| OSV (Google) | Open source focused | Public |
| GitHub Advisory | GitHub ecosystem | Public |
| Snyk DB | Curated + proprietary | Snyk users |
| VulnDB | Commercial intelligence | Paid |
SBOM: Software Bill of Materials
An SBOM lists every component in your software:
{
"bomFormat": "CycloneDX",
"specVersion": "1.5",
"components": [
{
"type": "library",
"name": "express",
"version": "4.18.2",
"purl": "pkg:npm/express@4.18.2",
"licenses": [{ "license": { "id": "MIT" }}]
}
]
}
Why SBOMs matter:
- Incident response: Quickly check if you're affected by new CVEs
- Compliance: Required by US Executive Order 14028 for government software
- Supply chain transparency: Know what's in your software
Generate SBOMs with:
# Using Syft
syft packages . -o cyclonedx-json > sbom.json
# Using Trivy
trivy fs --format cyclonedx . > sbom.json
SCA vs SAST: Different Targets
| Aspect | SAST | SCA |
|---|---|---|
| Scans | Your code | Third-party code |
| Finds | Code vulnerabilities | Known CVEs |
| Input | Source files | Manifest files |
| False positives | Higher | Lower (CVE is CVE) |
| Remediation | Fix code | Update dependency |
Next, we'll dive into Snyk—the most popular SCA tool for dependency scanning. :::