SCA ADVISORY
Software composition analysis advisory.
Software composition analysis advisory turns the raw output of an SCA tool into a defensible license risk picture. We tune the scan, resolve the false positives, and rank what is left by exposure, so the report drives decisions rather than adding to a backlog. Relicensed projects surface as risk before they become findings.
Why a tool alone is not enough
A software composition analysis tool is good at one thing: listing the components in your software and the license declared for each. What it cannot do is tell you which of those findings actually matter for your deployment, which are noise, and which represent a project that has quietly changed terms. Most teams that run an SCA tool end up with a long report and no clear next move. Software composition analysis advisory closes that gap. We interpret the output against how you really run the software, so the report becomes a decision rather than a queue.
Catching the relicensing events your scan can miss
A component you adopted under a permissive license may now carry a restrictive one. Unless your scan is configured to notice, it can keep reporting the original license long after the project has moved. We tune detection so the recent wave surfaces correctly. HashiCorp moved Terraform, Vault, Consul, Nomad, and Packer to the Business Source License 1.1 as of August 2023. Redis moved to a dual Redis Source Available License and Server Side Public License model as of March 2024. Elasticsearch and Kibana moved to the Server Side Public License and Elastic License in 2021, and MongoDB moved to the Server Side Public License in 2018. Source available is not the same as open source, and a scan that reports the old license hides real exposure.
What the advisory delivers
You receive a cleaned and ranked findings report, a written interpretation of the highest risk items, and a recommended action for each. We can also stand up a repeatable scanning process wired into your pipelines, so a future relicense is caught at intake rather than in an audit. We are independent and buyer side, paid only by you. We do not sell an SCA product, so the recommendation reflects your risk and nothing we are trying to renew.
Where this fits
Software composition analysis advisory is one engagement within our full set of open source license risk services and a core part of the open source governance and SBOM discipline. To understand the underlying license families, see the pillar on the Redis and Elastic database license changes and the broader pattern of relicensing exposure. For worked examples, read our case studies.
COMMON QUESTIONS
Questions buyers ask.
What is software composition analysis advisory?
Software composition analysis advisory turns the raw output of an SCA tool into a defensible license risk picture. We tune the scan, resolve false positives, and rank findings by exposure, so the report drives decisions rather than adding to a backlog.
How is advisory different from running an SCA tool?
A tool lists components and flags licenses. Advisory interprets that list against your actual deployment, separates the noise from the exposure, and tells you which findings matter and what to do about them. The tool reports. The advisory decides.
Does this catch relicensed projects like HashiCorp and Redis?
Yes. We configure detection so projects that have changed terms, such as HashiCorp on the Business Source License as of August 2023 and Redis on the Server Side Public License as of March 2024, surface as license risk rather than passing as the open license you first adopted.
Is the advisory independent?
Yes. We are independent and buyer side, paid only by you. We do not sell an SCA product, so the recommendation reflects your risk and not a license we are trying to renew.
Is this legal advice?
No. This is commercial and licensing risk advisory, not legal advice. For interpretation of license terms and compliance, we recommend your own counsel.
CONTAINMENT
Turn your scan into a decision.
A confidential open source license risk assessment. Independent, buyer side, paid only by you.
Not ready to talk? Read the free open source license risk guides first.
Independent, confidential, buyer side. See how buyers contained their exposure →