Software Composition Analysis (SCA)

This skill enables comprehensive analysis of software dependencies for security vulnerabilities, license compliance, and supply chain risks using tools like Snyk, OWASP Dependency-Check, Trivy, Grype, and various ecosystem-specific scanners.

When to Use This Skill

This skill should be invoked when:

• Scanning project dependencies for known vulnerabilities
• Generating and analyzing Software Bill of Materials (SBOM)
• Checking license compliance for open source components
• Auditing npm, pip, Maven, Cargo, Go modules
• Assessing supply chain security risks
• Integrating dependency scanning into CI/CD

Trigger Phrases

• “scan dependencies for vulnerabilities”
• “check package security”
• “generate SBOM”
• “license compliance check”
• “audit npm packages”
• “supply chain security scan”

Prerequisites

Required Tools

Quick Start Workflow

1. **Identify Package Ecosystem**
   - Node.js (package.json, package-lock.json, yarn.lock)
   - Python (requirements.txt, Pipfile.lock, poetry.lock)
   - Java (pom.xml, build.gradle)
   - .NET (packages.config, *.csproj)
   - Rust (Cargo.lock)
   - Go (go.mod, go.sum)
   - Ruby (Gemfile.lock)
   - PHP (composer.lock)

2. **Generate SBOM**
   - Use Syft for comprehensive SBOM
   - Export in CycloneDX or SPDX format

3. **Vulnerability Scan**
   - Run Trivy/Grype against SBOM or directory
   - Check ecosystem-specific tools

4. **License Analysis**
   - Extract license information
   - Check compliance with policy

5. **Remediation**
   - Upgrade vulnerable packages
   - Replace deprecated dependencies
   - Document accepted risks

6. **CI/CD Integration**
   - Add scanning to pipeline
   - Set failure thresholds
   - Generate reports

SBOM Generation

Syft SBOM Creation

# Scan directory
syft dir:/path/to/project

# Scan container image
syft nginx:latest

# Output formats
syft dir:. -o json > sbom.json
syft dir:. -o cyclonedx-json > sbom-cyclonedx.json
syft dir:. -o spdx-json > sbom-spdx.json
syft dir:. -o table

# Scan specific package files
syft file:package-lock.json
syft file:requirements.txt

# Include file metadata
syft dir:. -o json --file-metadata

CycloneDX Native Tools

# Node.js
npx @cyclonedx/cyclonedx-npm --output-file sbom.json

# Python
pip install cyclonedx-bom
cyclonedx-py environment -o sbom.json

# Java/Maven
mvn org.cyclonedx:cyclonedx-maven-plugin:makeAggregateBom

# .NET
dotnet tool install --global CycloneDX
dotnet CycloneDX project.csproj -o sbom.json

# Go
go install github.com/CycloneDX/cyclonedx-gomod/cmd/cyclonedx-gomod@latest
cyclonedx-gomod mod -json > sbom.json

Vulnerability Scanning

Trivy Dependency Scanning

# Scan filesystem for vulnerabilities
trivy fs /path/to/project

# Scan specific file
trivy fs --scanners vuln package-lock.json

# Filter by severity
trivy fs --severity HIGH,CRITICAL .

# Output formats
trivy fs -f json -o results.json .
trivy fs -f sarif -o results.sarif .
trivy fs -f table .

# Ignore unfixed vulnerabilities
trivy fs --ignore-unfixed .

# Exit code on findings
trivy fs --exit-code 1 --severity CRITICAL .

# Scan SBOM
trivy sbom sbom.json

Grype Scanning

# Scan directory
grype dir:/path/to/project

# Scan SBOM
grype sbom:./sbom.json

# Output formats
grype dir:. -o json > results.json
grype dir:. -o table
grype dir:. -o cyclonedx > results-sbom.xml

# Fail on severity
grype dir:. --fail-on high

# Only show fixed vulnerabilities
grype dir:. --only-fixed

OSV-Scanner

# Scan directory
osv-scanner -r /path/to/project

# Scan specific lockfile
osv-scanner --lockfile package-lock.json

# Scan SBOM
osv-scanner --sbom sbom.json

# Output formats
osv-scanner -r . --format json > results.json
osv-scanner -r . --format table

# Experimental call analysis (Go)
osv-scanner -r --experimental-call-analysis .

OWASP Dependency-Check

# Basic scan
dependency-check --project "MyProject" --scan /path/to/project

# Specific formats
dependency-check --project "MyProject" --scan . \
  --format HTML --format JSON --out reports/

# Fail on CVSS score
dependency-check --project "MyProject" --scan . \
  --failOnCVSS 7

# Update NVD database
dependency-check --updateonly

# Suppress false positives
dependency-check --project "MyProject" --scan . \
  --suppression suppressions.xml

Ecosystem-Specific Scanning

Node.js / npm

# npm audit
npm audit
npm audit --json > audit.json
npm audit fix
npm audit fix --force  # May introduce breaking changes

# Yarn
yarn audit
yarn audit --json > audit.json

# pnpm
pnpm audit
pnpm audit --json > audit.json

# Snyk
snyk test
snyk test --json > snyk.json
snyk monitor  # Continuous monitoring

Python

# pip-audit
pip-audit
pip-audit -r requirements.txt
pip-audit -f json -o audit.json
pip-audit --fix  # Auto-upgrade packages

# Safety (PyUp.io)
pip install safety
safety check
safety check -r requirements.txt --json > safety.json

# Bandit for code + dependencies
bandit -r . -f json -o bandit.json

# Snyk
snyk test --file=requirements.txt

Java / Maven

# OWASP Dependency-Check Maven Plugin
mvn org.owasp:dependency-check-maven:check

# SpotBugs with security plugin
mvn com.github.spotbugs:spotbugs-maven-plugin:check

# Snyk
snyk test --file=pom.xml
snyk test --all-projects  # Multi-module

# Gradle
./gradlew dependencyCheckAnalyze

Go

# govulncheck (official)
go install golang.org/x/vuln/cmd/govulncheck@latest
govulncheck ./...

# Nancy (Sonatype)
go install github.com/sonatype-nexus-community/nancy@latest
go list -json -deps ./... | nancy sleuth

# Snyk
snyk test --file=go.mod

Rust

# cargo-audit
cargo install cargo-audit
cargo audit
cargo audit --json > audit.json

# cargo-deny (licenses + advisories)
cargo install cargo-deny
cargo deny check

# Snyk
snyk test --file=Cargo.toml

Ruby

# Bundler audit
gem install bundler-audit
bundle-audit check
bundle-audit check --update

# Snyk
snyk test --file=Gemfile.lock

.NET

# dotnet list vulnerable packages
dotnet list package --vulnerable

# Snyk
snyk test --file=project.csproj

# OWASP Dependency-Check
dependency-check --project "DotNetProject" --scan . \
  --enableExperimental

PHP

# Composer audit
composer audit

# Local PHP Security Checker
symfony security:check

# Snyk
snyk test --file=composer.lock

License Compliance

License Detection

# Syft with license info
syft dir:. -o json | jq '.artifacts[].licenses'

# licensee (GitHub)
gem install licensee
licensee detect .

# license-checker (npm)
npx license-checker --json > licenses.json
npx license-checker --onlyAllow 'MIT;Apache-2.0;BSD-3-Clause'

# pip-licenses (Python)
pip install pip-licenses
pip-licenses --format=json > licenses.json
pip-licenses --fail-on "GPL"

License Categories

## Permissive (Generally Safe)
- MIT
- Apache 2.0
- BSD-2-Clause / BSD-3-Clause
- ISC
- Unlicense

## Copyleft (Requires Review)
- GPL v2 / v3
- LGPL v2.1 / v3
- AGPL v3
- MPL 2.0

## Restrictive / Commercial
- Proprietary
- Commercial
- Source-available

## Unknown / Custom
- Requires manual review
- May need legal consultation

License Policy Enforcement

# .licensepolicy.yaml
allowed:
  - MIT
  - Apache-2.0
  - BSD-2-Clause
  - BSD-3-Clause
  - ISC

denied:
  - GPL-2.0
  - GPL-3.0
  - AGPL-3.0

exceptions:
  - package: some-gpl-package
    license: GPL-2.0
    reason: "Used only at build time, not distributed"

Supply Chain Security

Dependency Confusion Prevention

## Checks
- [ ] Private registry configured
- [ ] Scoped packages used (@company/package)
- [ ] Registry priority enforced
- [ ] Lock files committed
- [ ] Integrity hashes verified

## npm Configuration
// .npmrc
registry=https://registry.npmjs.org/
@company:registry=https://npm.company.com/

## pip Configuration
// pip.conf
[global]
index-url = https://pypi.company.com/simple/
extra-index-url = https://pypi.org/simple/

Typosquatting Detection

# Check for similar package names
# Manual: Compare with official package names

# Automated tools
# - Snyk monitors for typosquatting
# - Socket.dev detects suspicious packages
# - npm diff to compare packages

Lockfile Integrity

# npm
npm ci  # Clean install from lockfile
npm install --package-lock-only  # Update lockfile only

# pip
pip-compile requirements.in  # Generate locked requirements
pip install --require-hashes -r requirements.txt

# Go
go mod verify

# Cargo
cargo check --locked

Provenance & Signing

# npm provenance
npm publish --provenance  # Sign with OIDC

# Sigstore / cosign
cosign sign package.tar.gz
cosign verify package.tar.gz

# Go module checksums
# Automatically verified via sum.golang.org

# Python (PEP 458)
# Experimental TUF support

CI/CD Integration

GitHub Actions

name: Dependency Scan

on:
  push:
    branches: [main]
  pull_request:
  schedule:
    - cron: '0 0 * * *'  # Daily

jobs:
  trivy-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        with:
          scan-type: 'fs'
          scan-ref: '.'
          severity: 'HIGH,CRITICAL'
          exit-code: '1'
          format: 'sarif'
          output: 'trivy-results.sarif'

      - name: Upload Trivy scan results
        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: 'trivy-results.sarif'

  npm-audit:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: '20'
      - run: npm ci
      - run: npm audit --audit-level=high

  snyk-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Run Snyk
        uses: snyk/actions/node@master
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
        with:
          args: --severity-threshold=high

GitLab CI

stages:
  - security

dependency-scan:
  stage: security
  image: aquasec/trivy:latest
  script:
    - trivy fs --exit-code 1 --severity HIGH,CRITICAL .
  artifacts:
    reports:
      container_scanning: trivy-results.json
  allow_failure: false

npm-audit:
  stage: security
  image: node:20
  script:
    - npm ci
    - npm audit --audit-level=high
  only:
    changes:
      - package*.json

Pre-commit Hook

# .pre-commit-config.yaml
repos:
  - repo: local
    hooks:
      - id: npm-audit
        name: npm audit
        entry: bash -c 'npm audit --audit-level=high'
        language: system
        files: package-lock.json

      - id: pip-audit
        name: pip-audit
        entry: pip-audit
        language: python
        files: requirements.txt

Vulnerability Database Sources

Primary Sources

Updating Databases

# Trivy
trivy image --download-db-only

# Grype
grype db update

# OWASP Dependency-Check
dependency-check --updateonly

# OSV-Scanner
# Auto-updates from osv.dev API

Remediation Strategies

Upgrade Path Analysis

# npm
npm outdated
npm update
npm install package@latest

# pip
pip list --outdated
pip install --upgrade package

# Maven
mvn versions:display-dependency-updates

# Cargo
cargo update
cargo outdated

Vulnerability Suppression

<!-- dependency-check suppression.xml -->
<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
  <suppress>
    <notes>False positive - not using vulnerable feature</notes>
    <packageUrl regex="true">^pkg:npm/example-package@.*$</packageUrl>
    <cve>CVE-2021-XXXXX</cve>
  </suppress>
</suppressions>

# .trivyignore
CVE-2021-XXXXX
CVE-2022-YYYYY

# Snyk .snyk file
version: v1.5.0
ignore:
  SNYK-JS-EXAMPLE-123456:
    - '*':
        reason: 'Not exploitable in our usage'
        expires: 2024-12-31

Remediation Checklist

### For Each Vulnerability
- [ ] Verify vulnerability applies to usage
- [ ] Check if patch/upgrade available
- [ ] Test upgrade compatibility
- [ ] Document if accepting risk
- [ ] Set review date for unresolved

### Priority Matrix
| Severity | Exploitable | Fix Available | Action |
|----------|-------------|---------------|--------|
| Critical | Yes | Yes | Immediate fix |
| Critical | Yes | No | Mitigate/Monitor |
| High | Yes | Yes | Fix within 7 days |
| High | No | Yes | Fix within 30 days |
| Medium | - | Yes | Fix within 90 days |
| Low | - | - | Document/Monitor |

Reporting Template

# Software Composition Analysis Report

## Executive Summary
- Project: [Name]
- Scan date: YYYY-MM-DD
- Total dependencies: X
- Direct dependencies: Y
- Transitive dependencies: Z
- Vulnerabilities: Critical (X) | High (Y) | Medium (Z) | Low (W)

## Vulnerability Summary

### Critical Vulnerabilities
| Package | Version | CVE | CVSS | Fix Version |
|---------|---------|-----|------|-------------|
| lodash | 4.17.20 | CVE-2021-23337 | 9.1 | 4.17.21 |

### High Vulnerabilities
| Package | Version | CVE | CVSS | Fix Version |
|---------|---------|-----|------|-------------|
| axios | 0.21.1 | CVE-2021-3749 | 7.5 | 0.21.2 |

## License Compliance

### License Distribution
| License | Count | Compliance |
|---------|-------|------------|
| MIT | 150 | Approved |
| Apache-2.0 | 45 | Approved |
| GPL-3.0 | 2 | Review Required |

### Flagged Packages
| Package | License | Action |
|---------|---------|--------|
| gpl-package | GPL-3.0 | Requires review |

## SBOM
Full SBOM attached in CycloneDX format.

## Recommendations
1. [P1] Upgrade lodash to 4.17.21
2. [P1] Upgrade axios to 0.21.2
3. [P2] Review GPL-licensed dependencies
4. [P3] Enable automated scanning in CI

Bundled Resources

scripts/

• scan_all.sh – Multi-ecosystem dependency scan
• sbom_generate.py – SBOM generation automation
• license_check.py – License compliance checking

references/

• vulnerability_databases.md – Database source documentation
• license_guide.md – License compatibility matrix
• remediation_guide.md – Upgrade strategies

checklists/

• sca_audit.md – SCA audit checklist
• supply_chain.md – Supply chain security checklist
• license_compliance.md – License compliance checklist