Up to 90% of software today consists of third-party code. This includes proprietary code as well as free and open source code (FOSS). Even if the open source project is well-maintained, the version of the code you adopt into your development life cycle may not be up-to-date and may even contain known vulnerabilities.
The first step in managing a software supply chain is determining the bill of materials (BoM) of a product. The BoM is a list of all third-party components used in building the product, much like a list of ingredients. When you perform this type of analysis during the code check-in process, you can ensure that the product includes only appropriate, approved third-party components. Software composition analysis (SCA) tools identify the licenses associated with third-party components and can determine whether the BoM complies with the builder’s policy.
SCA tools such as Black Duck Binary Analysis from Synopsys can generate a bill of materials from source code analysis, binary analysis, or both. Once the BoM is available, Black Duck Binary Analysis finds all known vulnerabilities corresponding to the third-party components in the BoM. This is a quick and accurate method for understanding the risk associated with third-party components. Black Duck Binary Analysis also tracks vulnerability feeds and can alert you when a new vulnerability is reported against a component in your application’s BoM.