As leaders in software composition analysis (SCA), we know its role throughout today’s software supply chain.
SCA was born out of necessity. How else could innovators discover, identify, and track open source software (OSS) components within their applications? SCA may be best known for tracking capabilities, such as adherence to license requirements (e.g., “you can use this code, just buy me a beer”). Others value it for identifying security vulnerabilities inherent in open source projects (“Red alert! Red alert!”). Yet, the technology can do far more than that.
Our product suite helps developers and security professionals at every stage of software development. Our tools locate, manage, and protect the best quality open source software components.
Of these capabilities, which is most critical?
To find out, we commissioned 451 Research, a global research firm, to evaluate the case for SCA. The report, Software Composition Analysis: Getting to the Signal Through the Noise, written by Scott Crawford, Research Director, is revealing.
The report identifies precision as the most important element an SCA tool must master. By 451’s measure, Sonatype excels in this domain. Precision ensures secure software development from concept through delivery. Consider:
Here are three precision-related characteristics found in Sonatype’s elite SCA management tools:
Nexus Intelligence uses proprietary natural language processes. This provides in-depth vulnerability data beyond public databases, such as the NVD. This means:
Scanning manifest files (“as Declared”) does not identify true risk. That’s because an “as Declared” scan does not analyze embedded dependencies. This introduces the potential for intended and unintended changes in production.
Nexus scans post-build artifacts, including binaries, (“as Deployed”). Our Advanced Binary Fingerprinting (ABF), reveals the truth about third-party risk with in-depth visibility. Scanning “as Deployed”:
Nexus Platform breaks down siloed security tools. This reduces risk and potential costs, with seamless policy governance across the entire software lifecycle. This end-to-end approach offers: