Automated SCA is useful for an individual company monitoring and identifying its own use of open source components and frameworks. In a Business Impact Brief, 451 Research also detailed the use case for SCA in the M&A space. As young companies bring new applications to market rapidly, they use increasingly more open source. Diligent use of automated SCA can help these companies with vulnerability tracking, patch management, and license compliance. SCA tools are most successful when integrated directly into the development workflow so dev teams can mitigate open source risk without sacrificing speed.
But depending on what SCA tool the company is using, they might miss open source lurking in the code. A dependency scan is great to pick up declared open source, but open source that was not declared in the package manager or was brought in as a partial or modified component may be completely missed. Further, open source can also make it into the code via the copy-pasting of an open source code “snippet.” While this seems like a minor addition at the time, that code is still subject to the license obligations of the component it came from and needs to be surfaced in M&A due diligence.
So in M&A transactions, the onus shifts to acquiring companies to be aware of the potential open source risks they may be inheriting along with the intellectual property in their targets’ codebases.