Software composition analysis (SCA)
All dependencies used in a system can have known vulnerabilities. These are often registered as Common Vulnerabilities and Exposures (CVE), a system to register and classify software security defects. By using a source compositioning tool, dependencies can checked for CVEs and action can be taken depending on the information uncovered. This process is often known as Source Compositioning Analysis.
A SCA-tool will analyze all dependencies and notify you of its findings.
- Snyk Open Source (Python, Java, JavaScript, C#, Go, Docker, ++)
- Mend Bolt
- Dependency-Track
- pip-audit (Python)
- npm audit (JavaScript)
- clair (Docker)
Be aware that these tools require a defined process to ensure that discovered vulnerabilities are managed and addressed, and that findings are analyzed for impact to the system. In many cases simply upgrading to a more recent version of the library will be easier than analyzing how a vulnerability affects a system, so this should be explored as an initial response. Some tools can automate this process, allowing the team to review the result before approving the automated pull request.
The following is a list of tools which will notify you when new versions of dependencies are found, and which can be configured to automatically upgrade the dependencies:
- Mend Renovate (Python, Java, JavaScript, C#, Go, ++)
- Dependabot (Github) (Python, Java, JavaScript, C#, Go, ++)