SCA vs. SCA : a comparison of SCA tools in the market

Abstract

In just 2018, there are 16,555 new vulnerabilities discovered from the open-source community, and the total number of vulnerabilities introduced by the use of open-source components had also exceeded 100,000. In the same year, tech giants like Google, Facebook, and Amazon have exposed at least 1 case of a cybersecurity incident. Therefore, SCA (Software Composition Analysis) has become a popular solution for an organization to manage its open-source components’ inventory. Inspired by [1-3], this project focuses on the feature and results comparison of the commercial SCA tools. A command-line tool called Karby is also built to provide a more straightforward way to receive scan results from different SCA tools. This report reveals the limitations of popular commercial and free-to-use SCA tools in terms of features, language coverage, use cases, et cetera.