Dependencies AppSec: SBOM and SCA.

Modern applications rely heavily on third-party components—open-source libraries, frameworks, and transitive dependencies. This introduces a hidden attack surface that can easily be overlooked. To manage this risk, two essential practices come into play: Software Composition Analysis (SCA) and Software Bill of Materials (SBOM).

Software Bill of Materials (SBOM)

An SBOM is a complete inventory of all software components and dependencies in an application. Think of it as the “ingredient list” for your software. It includes:

• Component names and versions
• Licenses (if included)
• Dependency relationships

SBOMs enable faster incident response during zero-day disclosures, help prove compliance, and are becoming a legal requirement in sectors like critical infrastructure and government contracting.

Once you extract the SBOM, matching it to a vulnerabilities database like NVD, basically a super long list of every dependency name and version that has a vulnerability. The intersection between your SBOM and this long list of dependencies vulnerabilities would represent the SCA. SCA can also contain more info, like license information.

Software Composition Analysis (SCA)

SCA is the process of identifying and evaluating vulnerabilities in all third-party components in your codebase. These tools automatically:

• Detect known vulnerabilities in dependencies (based on CVE databases)
• Flag outdated or unmaintained libraries
• Trace transitive dependencies that bring hidden risks
• Provide remediation suggestions (e.g., version upgrades)

By integrating SCA into CI/CD pipelines, teams can catch risky dependencies early and reduce exposure from the software supply chain.

Next in This Chapter:

• What’s SCA?
• How to read an SCA finding?
• What’s SBOM?
• How to read an SBOM item?