SCA tools inspect package managers, manifest files, source code, binary files, container images, and more. The identified open source is compiled into a Bill of Materials (BOM), which is then compared against a variety of databases, including the National Vulnerability Database (NVD).
These databases hold information regarding known and common vulnerabilities. The NVD is a U.S. government repository of vulnerabilities. Synopsys has its own internal vulnerability database, Black Duck® KnowledgeBase—the industry’s most comprehensive database of open source project, license, and security information.
SCA tools can also compare BOMs against other (usually commercial) databases to discover licenses associated with the code and analyze overall code quality (version control, history of contributions, and so on). By comparing the BOM against a database, security teams are able to identify critical security and legal vulnerabilities and act quickly to fix them.