Modern software is not built from scratch. It is assembled from components: open source libraries, frameworks, and packages that provide functionality without developers writing it themselves. A typical web application has hundreds of dependencies, many of which are transitive, meaning they are dependencies of dependencies, invisible to the development team unless specifically examined.

Each dependency is a potential vulnerability source. When a CVE is published for a package that your application depends on, your application inherits that vulnerability. Without a systematic approach to tracking and managing dependencies, you cannot know which vulnerabilities affect you or when new ones are published.

What Software Composition Analysis Does

SCA tools scan application codebases and manifest files to build a complete inventory of dependencies. They match those dependencies against vulnerability databases, typically including the National Vulnerability Database and additional sources, to identify which components contain known vulnerabilities.

Modern SCA tools also flag licence compliance issues, identifying dependencies with licence types that may conflict with your distribution or commercial requirements. This is a separate but related risk that organisations with proprietary software need to manage alongside security vulnerabilities.

The Supply Chain Dimension

The compromise of widely-used open source packages has become an established attack technique. Attackers publish malicious packages with names similar to legitimate ones (typosquatting), compromise maintainer accounts to push malicious updates, or inject malicious code into packages before they are published to package registries.

Package integrity verification, dependency pinning to specific known-good versions, and monitoring for unexpected changes to dependencies all reduce the risk of supply chain compromise through the package ecosystem.

Expert Commentary
William Fieldhouse, Director of Aardwolf Security Ltd
“Open source dependencies are the part of the application most development teams think least about from a security perspective. A modern web application can have hundreds of transitive dependencies, and each one is a potential vulnerability source. SCA is not optional for teams that take application security seriously.”

Integrating SCA Into Development

Web application penetration testing includes review of the application’s dependency landscape. Manual testers examine the component inventory for critical vulnerabilities and assess whether vulnerable components are reachable in the application’s execution paths. This contextualises findings beyond a raw list of CVEs.

The most valuable integration point for SCA is the CI/CD pipeline. Running SCA on every build surfaces new vulnerabilities immediately when the database updates, rather than waiting for a scheduled review. Pull request checks that block merges introducing high-severity vulnerable dependencies enforce security at the development stage.

Managing Remediation Practically

SCA tooling in a large codebase produces significant output. Prioritisation is necessary. Critical vulnerabilities in directly imported packages that are actively reachable in the application’s code paths take priority. Vulnerabilities in transitive dependencies deep in the dependency.