Nerd Level Tech logo
|
Lesson 9 of 24

Dependency & Container Security

Software Composition Analysis (SCA)

3 min read

Modern applications are built on mountains of open-source dependencies. A typical Node.js project has 500+ transitive dependencies. Each one is a potential vulnerability.

The Supply Chain Risk

Your App (100% your code)
    └── express (NPM package)
        └── body-parser
            └── raw-body
                └── iconv-lite
                    └── safer-buffer  ← Vulnerability here affects your app

Key statistics:

  • 96% of codebases contain open-source components
  • 84% of codebases have at least one vulnerability
  • Average project has 500+ dependencies (direct + transitive)
  • Log4Shell (CVE-2021-44228) affected 35,000+ packages

What SCA Does

Software Composition Analysis scans your dependencies to find:

Finding Type Example Risk
Known Vulnerabilities (CVEs) Log4j remote code execution Critical
Outdated Dependencies React 16.x (current: 18.x) Medium
License Compliance GPL-3.0 in commercial project Legal
Malicious Packages ua-parser-js compromise Critical
Abandoned Projects No updates in 2+ years Medium

How SCA Works

┌─────────────┐     ┌──────────────┐     ┌─────────────┐
│ Manifest    │ ──▶ │ SCA Engine   │ ──▶ │   Report    │
│ package.json│     │              │     │             │
│ Pipfile     │     │ ┌──────────┐ │     │ CVE-2024-XX │
│ go.mod      │     │ │ Vuln DB  │ │     │ License: GPL│
│ Cargo.toml  │     │ └──────────┘ │     │ Outdated: 5 │
└─────────────┘     └──────────────┘     └─────────────┘

SCA tools:

  1. Parse your dependency manifest files
  2. Resolve the full dependency tree (including transitive)
  3. Query vulnerability databases (NVD, OSV, vendor DBs)
  4. Report findings with remediation advice

Vulnerability Databases

Database Coverage Access
NVD (NIST) Comprehensive CVEs Public
OSV (Google) Open source focused Public
GitHub Advisory GitHub ecosystem Public
Snyk DB Curated + proprietary Snyk users
VulnDB Commercial intelligence Paid

SBOM: Software Bill of Materials

An SBOM lists every component in your software:

{
  "bomFormat": "CycloneDX",
  "specVersion": "1.5",
  "components": [
    {
      "type": "library",
      "name": "express",
      "version": "4.18.2",
      "purl": "pkg:npm/express@4.18.2",
      "licenses": [{ "license": { "id": "MIT" }}]
    }
  ]
}

Why SBOMs matter:

  • Incident response: Quickly check if you're affected by new CVEs
  • Compliance: Required by US Executive Order 14028 for government software
  • Supply chain transparency: Know what's in your software

Generate SBOMs with:

# Using Syft
syft packages . -o cyclonedx-json > sbom.json

# Using Trivy
trivy fs --format cyclonedx . > sbom.json

SCA vs SAST: Different Targets

Aspect SAST SCA
Scans Your code Third-party code
Finds Code vulnerabilities Known CVEs
Input Source files Manifest files
False positives Higher Lower (CVE is CVE)
Remediation Fix code Update dependency

Next, we'll dive into Snyk—the most popular SCA tool for dependency scanning. :::

Quiz

Module 3 Quiz: Dependency & Container Security

Take Quiz