Skip to main content

Free 30-min security demo  — We'll scan your real code and show live findings, no commitment Book Now

Offensive360
Academy Software Composition Analysis
Intermediate · 20 min

Software Composition Analysis

Learn how untracked OSS licenses and missing SBOMs create legal risk and blind spots in vulnerability management.

1 Untracked OSS Licenses and Unpatched Transitive Deps

Software Composition Analysis (SCA) goes beyond vulnerability scanning to cover legal compliance and comprehensive dependency visibility.

License compliance risks:

  • GPL/AGPL: Using GPL code in a commercial product may require open-sourcing your own code
  • LGPL: Dynamic linking is generally OK but requires providing the LGPL library in modifiable form
  • Copyleft propagation: Transitive GPL dependencies can affect your license obligations

Example license chain issue:

npm ls --all | grep license-check
# Your app uses: lodash (MIT) — OK!
# But a dependency uses: some-lib (GPL-3.0) — Risk!

license-checker --production --onlyAllow 'MIT;Apache-2.0;BSD-2-Clause;BSD-3-Clause'
# Exit code 1 if any dependency has a disallowed license

Unpatched transitive dependencies:

You might update all direct dependencies to patched versions but still have transitive dependencies using vulnerable packages. Without an SBOM, you lack visibility into the full dependency tree.

2 SCA Tools, SBOM Generation, and License Compliance

Implement SCA practices with automated tooling integrated into CI/CD pipelines.

Generate a Software Bill of Materials (SBOM):

# CycloneDX SBOM for Node.js projects
npm install -g @cyclonedx/cyclonedx-npm
cyclonedx-npm --output-format JSON --output-file sbom.json

# Syft for container images
syft myapp:latest -o cyclonedx-json=sbom.json

# SBOM documents: every package, version, license, and hash
# Enables: vulnerability scanning, license audit, supply chain attestation

License compliance in CI:

- name: Check dependency licenses
  run: |
    npx license-checker \
      --production \
      --onlyAllow "MIT;Apache-2.0;BSD-2-Clause;BSD-3-Clause;ISC" \
      --excludePackages "internal-package"
  # Fails if any dependency has a disallowed license

Defense checklist:

  • Generate an SBOM for every release (CycloneDX or SPDX format)
  • Run license compliance checks in CI
  • Define and document your allowed license policy
  • Scan the full transitive dependency tree, not just direct dependencies
  • Store SBOMs alongside release artifacts for audit purposes

Knowledge Check

0/3 correct
Q1

What is a Software Bill of Materials (SBOM)?

Q2

Why might using a GPL-licensed package in a commercial application create legal risk?

Q3

How does SCA differ from SAST (Static Application Security Testing)?

Code Exercise

Add License Compliance Check to CI

The CI pipeline has no license compliance check. Add a step that uses license-checker to fail the build if any dependency uses a non-approved license (only MIT, Apache-2.0, and BSD licenses allowed).

yaml