SCA (Software Composition Analysis)

Software Composition Analysis (SCA) identifies the open-source libraries, frameworks, and components used in an application and assesses them for known security vulnerabilities, license compliance issues, and code quality risks. SCA tools maintain databases of known vulnerabilities (linked to CVEs) for popular packages and alert developers when they're using affected versions.

Modern applications rely heavily on open-source components — a typical Node.js application may have hundreds or thousands of dependencies in its node_modules directory. SCA addresses the supply chain risk by monitoring not just direct dependencies but also transitive dependencies (dependencies of dependencies).

SCA is essential because many significant breaches have exploited known vulnerabilities in open-source components (e.g., Log4Shell in Apache Log4j, Equifax breach via Apache Struts). Regular SCA scanning in CI/CD pipelines catches vulnerable dependencies before deployment.

How APVISO tests for this: APVISO's recon agent identifies externally visible technology fingerprints and known-vulnerable component versions. While dedicated SCA tools provide deeper dependency analysis, APVISO validates from the attacker's perspective which vulnerable components are actually exposed and exploitable.