Introducing the 3rd Generation of Software Composition Analysis

May 29, 2018 Gabriel Avner

Software Composition Analysis tools were created to help companies take control of their open source usage, gaining actionable insights based on real visibility over the open source components in their inventory and products.

Whereas the 1st generation offered legal teams a level of assurance that they were not using open source components with licenses that were incompatible with their policies through snippet scanning, this solution was far from scalable and did not offer the real-time, continuous coverage necessary to protect them from the rapidly evolving security threats that are inherent in the use of third-party software.

WhiteSource was the first to offer the 2nd generation of SCA, bringing to bear the largest collection of security resources, running continuously to identify all open source components in products and development environments, bringing unprecedented coverage throughout the SDLC with fully automated tools that allowed companies to enforce their policies and ensure compliance for security, licenses, and quality concerns.

However even as WhiteSource has held to its standard of zero false positives, we have heard from customers that they are struggling to prioritize their teams’ efforts to keep up with the sheer number of genuine alerts that they receive on a daily basis. In losing sight of which vulnerabilities have the most significant impact on their products, they are frozen into inaction, leaving the vulnerabilities in their code to continue threatening their products.    

In hopes of providing more actionable insights into how companies are actually using open source components in their products, WhiteSource has announced the 3rd generation of Software Composition Analysis with the launch of our latest technology that we are calling Effective Usage Analysis.

Our research into open source Java components has found that only 30% of reported vulnerabilities are in fact effective, meaning that the proprietary code is making calls to a specific vulnerable functionality within the open source component.  


This was a groundbreaking revelation, as we understood that by understanding which functionalities had a direct impact on the code, we could reduce the scope of alerts for our customers by 70%, saving them valuable time.

We then decided to dig deeper into the code, much deeper. Now that we knew that we could identify which specific vulnerable functionalities were effective and could help teams to prioritize their remediations, we had to turn this into actionable intelligence to speed up the process.

The result has been a trace analysis that takes developers right to the spot in their code that they are using the vulnerable, effective functionality, showing them how they are using it and which other components it is supporting. This means no more time wasted searching for the problematic function, and running a series of trial and error tests to see if your product will still work as intended following the remediations.

An added benefit that we have heard from customers who have tried using Effective Usage Technology is that it has already started to dramatically reduce friction between the security and development teams. Why is this though?

One of the major complaints that we often hear from development teams is that the folks from security will simply send them over a PDF report telling them that they have a vulnerability to deal with.



However, they are missing crucial information about how it is being used in their product, which is a minimum requirement for them to be aware of before they go in for their remediations. What they need is the proper evidence that the issue being flagged for them is worth their time and attention. Developers know that the alerts they are receiving from WhiteSource are legitimate, but they do not know where to start. Simply put, they lack the confidence that their efforts and resources are being sent to the most critical places.

By providing them with a solution that quickly directs them to where they need to be for their remediation, and draws them a map of how it is impacting their product, they can know that their time is being well spent.

If the 2nd generation of SCA could tell you what you had, this 3rd generation shows you how you are actually using it, giving you the intelligence to make smarter decisions, breaking out from under the weight of alerts and into a manageable workflow to keep products secure.

At the core of WhiteSource’s solutions is the reliance on automation. Whether it is how we gave customers the ability to set and enforce policies across their organization, or now in taking the guesswork out of the prioritization for remediations, automation is a powerful necessity if a solution aims to be scalable, and therefore remain relevant in this industry. 

Previous Article
Top 5 New Open Source Security Vulnerabilities in May 2018
Top 5 New Open Source Security Vulnerabilities in May 2018

Next Article
Top 10 Weirdest Names for Open Source Projects
Top 10 Weirdest Names for Open Source Projects


Stay up to date, subscribe to our newsletter today!

I agree to receive email updates from WhiteSource
Thank you!
Error - something went wrong!