Posted by Synopsys Editorial Team on September 1, 2016
Up to 90 percent of software today consists of third-party code. This includes proprietary code as well as Free Open Source Code (FOSS). Even if the open source project is well maintained, the version of the code you adopt into your development lifecycle may not be up to date and may even contain known vulnerabilities.
The first step managing a software supply chain is determining the bill of materials (BoM) of a product. The BoM is a list of all third-party components used in building the product, much like a list of ingredients. When this type of analysis is performed during the code check-in process, it allows the process to ensure that only appropriate third-party components can be included in the product. Software Composition Analysis (SCA) tools identify the licenses associated with third-party components and can determine whether or not the BoM complies with the builder’s policy.
SCA tools such as Protecode from Synopsys can generate a BoM from source code analysis, binary analysis, or both. Once the BoM is available, Protecode finds all known vulnerabilities corresponding to the third-party components in the BoM. This is a quick and accurate method for understanding the risk associated with third-party components. Protecode also tracks vulnerability feeds and is able to alert when a new vulnerability is reported against a component in the BoM.