OpenSource Risk Experts
Map your blast radius

GLOSSARY / DEFINITION

What is software composition analysis

Software composition analysis is the automated practice of identifying the open source components in a codebase and reporting their versions, vulnerabilities, and licenses. For an enterprise it is the workhorse that produces the inventory, and it is essential, but it is not the whole answer to license risk.

Definition

Software composition analysis, usually shortened to SCA, is the automated discovery of the open source and third party components inside a piece of software. An SCA tool scans a project, resolves its dependency tree, and reports what is present: the components, their versions, the known security vulnerabilities tied to those versions, and the license each component declares. It serves two purposes at once. On the security side it surfaces vulnerable components so they can be patched or replaced. On the license side it builds the inventory that license risk management depends on. The same scan that finds a vulnerable library also records that the library is, for example, under the GNU GPL or the Apache 2.0 license.

What an SCA tool finds

A capable SCA tool resolves the full tree, direct and transitive, rather than only the components a team declared. For each node it reports the version in use, matches it against vulnerability databases, and reads the declared license. The combined output is the foundation of a software bill of materials and the input to policy enforcement: a rule that blocks a build when a forbidden license appears, or flags a component when a critical vulnerability is published. Most SCA tools can emit the inventory directly in a standard format such as SPDX or CycloneDX, which is why the analysis and the bill of materials are so closely linked in practice.

Where it falls short on relicensing

SCA is strong at detection and weaker at judgment, and the relicensing wave sits in the gap. A tool reports the license a component declares, so once its database reflects a change it can flag that a component is now under the Business Source License or the Server Side Public License. What it does not do is tell you whether your specific use crosses the restriction those licenses impose, how far the change cascades through the components that depend on the relicensed one, or what the exposure costs in money and engineering time. Source available is not open source, and these licenses are not approved by the Open Source Initiative, but an SCA report treats a license string as a fact to record, not a situation to assess. The analysis that turns a flagged license into a sized, prioritized exposure is human work the tool supports rather than replaces. Treating an SCA pass as a complete license risk review is a common and costly mistake.

How it fits a license risk program

SCA is the right first instrument and the wrong last word. It produces the current, machine generated inventory that nothing else can match for breadth and speed, and it keeps that inventory fresh as the tree changes. The value comes from pairing it with analysis: reading the findings against your actual use, judging which flagged licenses create real exposure, and pricing the cost to cure. That pairing is the core of an open source license risk assessment, which uses the SCA output as a starting map and adds the judgment the tool does not provide.

Related reading

For the indirect components that SCA exists to surface, see what is a transitive dependency. For the function that turns these scans into a standing capability, read what is an open source program office. Both sit alongside the rest of our open source license risk glossary.

CONTAINMENT

Turn a scan into a sized exposure

An open source license risk assessment pairs composition analysis with the judgment that prices and prioritizes the findings. Independent, buyer side, paid only by you.

Not ready to talk? Read the free open source license risk guides first.

Start a risk assessment

COMMON QUESTIONS

Questions buyers ask.

What is software composition analysis?

Software composition analysis, often shortened to SCA, is the automated practice of identifying the open source and third party components in a codebase and reporting their versions, known security vulnerabilities, and licenses. SCA tools scan a project, resolve its dependency tree, and produce an inventory that supports both security and license risk management.

What does software composition analysis find?

An SCA tool finds the direct and transitive components in a build, the version of each, the known vulnerabilities associated with those versions, and the license each component declares. The output is the basis for a software bill of materials and for license and security policy enforcement.

Does software composition analysis catch relicensing risk?

Partly. SCA reports the license a component declares, so it can flag a copyleft or source available license once a tool's database reflects the change. It is weaker at the judgment around relicensing: whether your specific use crosses a Business Source License or Server Side Public License restriction, how the change cascades through the tree, and what the exposure costs. Those require analysis the tool does not perform.

Is SCA the same as a software bill of materials?

No, but they are closely linked. SCA is the process that discovers the components; a software bill of materials, or SBOM, is a structured document listing them. SCA tools commonly generate an SBOM in formats such as SPDX or CycloneDX, so the analysis produces the inventory the SBOM records.

Is this legal advice?

No. This is commercial and licensing risk advisory, not legal advice. For interpretation of how a component's license applies to your use, engage your own counsel.