Our website uses cookies to enhance your browsing experience.
to the top
close form

Fill out the form in 2 simple steps below:

Your contact information:

Step 1
Congratulations! This is your promo code!

Desired license type:

Step 2
Team license
Enterprise license
** By clicking this button you agree to our Privacy Policy statement
close form
Request our prices
New License
License Renewal
--Select currency--
* By clicking this button you agree to our Privacy Policy statement

close form
Free PVS‑Studio license for Microsoft MVP specialists
* By clicking this button you agree to our Privacy Policy statement

close form
To get the licence for your open-source project, please fill out this form
* By clicking this button you agree to our Privacy Policy statement

close form
I am interested to try it on the platforms:
* By clicking this button you agree to our Privacy Policy statement

close form
check circle
Message submitted.

Your message has been sent. We will email you at

If you haven't received our response, please do the following:
check your Spam/Junk folder and click the "Not Spam" button for our message.
This way, you won't miss messages from our team in the future.

SCA (Software Composition Analysis)

SCA (Software Composition Analysis)

Sep 15 2023

SCA (Software Composition Analysis) is an analysis methodology for application components. The analysis enables detecting vulnerable components, security weaknesses, or licensing issues.

Why use SCA?

Companies tend to use more open-source components to expedite the development process. However, this can lead to security problems. A vulnerable component can become a potential entry point for malicious attacks.

The SCA solutions automatically analyze the application for open-source components. These tools detect vulnerable versions of components. In some cases, the SCA solutions can automatically fix or suggest to upgrade the component to a secure version. The SCA solutions can also inform users of license terms and restrictions, and notify them of deprecated dependencies.

A component may not contain vulnerabilities, but its dependencies may. To prevent such a scenario, the SCA tools analyze transitive dependencies too (for example, the dependencies of libraries used in an application).

The SCA solutions can detect vulnerabilities at both early and late stages of development. However, the earlier we introduce SCA into the development process the lower is the risk of reputational and financial problems. To enhance security through the detection of vulnerabilities and flaws, some tools provide both SCA and SAST functionality. For example, PVS-Studio for C# provides SCA.

An example of how SCA works

The test web project uses RestSharp, a client for REST API. The application gets data in JSON format, the handler receives the data string and parses it using the extension method from RestSharp:

public IActionResult Index(string jsonDate)
  DateTime dateTime = jsonDate.ParseJsonDate(CultureInfo.InvariantCulture);

  // do something

  return View();

The flaw lies in the ParseJsonDate function, which uses a vulnerable regular expression if the version of the RestSharp library is earlier than 106.11.7. This makes the entire application vulnerable to ReDoS attacks. You can look at this example in more detail in the article: "The risks of using vulnerable dependencies in your project, and how SCA helps manage them."

How SCA works

The SCA solutions analyze components of the application and their internal dependencies. These tools rely on open vulnerability databases such as CVE, NVD, etc. That's why SCA tools can identify the exact version of the component in use and any associated security weaknesses.

This happens in several steps:

  • The user runs the analysis with the SCA solution.
  • The SCA solution collects information about dependencies, components, and transitive dependencies. The tool compiles a Bill of Materials (BOM), a list of third-party components that are used in the application.
  • It searches for matches in the entire vulnerability database for all BOM components. If the SCA tool gets from the database all the necessary information about a flaw in the version of a component, it generates a corresponding message. In the same way, the tool checks for compliance with licensing terms and restrictions.
  • The SCA solution informs users about detected vulnerabilities, deprecated components, or licensing issues. It may generate a description of the defect, the component version affected, the CVE and CWE identifiers, the CVSS-based severities. The SCA solution can suggest fixes such as an update of a vulnerable component.

After detecting a vulnerable component, we can either upgrade it to a secure version, replace it with another component, or add necessary checks to the code. This topic is described in detail in the documentation for the V5625 diagnostic rule. It is an implementation of the SCA functionality in the PVS-Studio analyzer.

Popular related articles

Comments (0)

Next comments next comments
close comment form