Introducing the 3rd Generation of Software Composition Analysis

Software Composition Analysis tools were created to help companies take control of their open source usage, gaining actionable insights based on real visibility over the open source components in their inventory and products.

Where as the 1st generation offered legal teams a level of assurance that they were not using open source components with licenses that were incompatible with their policies through snippet scanning, this solution was far from scalable and did not offer the real-time, continuous coverage necessary to protect them from the rapidly evolving security threats that are inherent in the use of third-party software.

WhiteSource was the first to offer the 2nd generation of SCA, bringing to bear the largest collection of security resources, running continuously to identify all open source components in products and development environments, bringing unprecedented coverage throughout the SDLC with fully automated tools that allowed companies to enforce their policies and ensure compliance for security, licenses, and quality concerns.

However even as WhiteSource has held to its standard of zero false positives, we have heard from customers that they are struggling to prioritize their teams’ efforts to keep up with the sheer number of genuine alerts that they receive on a daily basis. In losing sight of which vulnerabilities have the most significant impact on their products, they are frozen into inaction, leaving the vulnerabilities in their code to continue threatening their products.    

In hopes of providing more actionable insights into how companies are actually using open source components in their products, WhiteSource has announced the 3rd generation of Software Composition Analysis with the launch of our latest technology that we are calling Effective Usage Analysis.

Our research into open source Java components has found that only 30% of reported vulnerabilities are in fact effective, meaning that the proprietary code is making (Read more...)

*** This is a Security Bloggers Network syndicated blog from Blog – WhiteSource authored by Gabriel Avner. Read the original post at:

Gabriel Avner

Gabriel Avner

Gabriel is a former journalist who loves learning and writing about the cat and mouse game of security. These days he writes for WhiteSource about the issues impacting open source security and license management and training Brazilian Jiu-Jitsu.

gabriel-avner has 19 posts and counting.See all posts by gabriel-avner