Google open sources software composition analysis library
Software composition analysis (SCA) is a process undertaken to identify and track application code dependencies and also track security and compliance factors. Given the importance of this practice in modern enterprise IT stack environments when building software bill of materials (SBOM) inventories, software engineering teams can now consider Google’s open sourced OSV-SCALIBR (Software Composition Analysis LIBRary). With open source vulnerability (OSV) issues always in the spotlight, this could be a welcome development.
Google says that OSV-SCALIBR is now the “primary SCA engine” used within Google for live hosts, code repositories and containers. It has been used and tested extensively across many different products and internal Google tools to help generate SBOMs, find vulnerabilities and help protect users’ data at what Google calls ‘Google scale’ i.e. quite big.
The cloud and search giant offers OSV-SCALIBR primarily as an open source Go library today, but is working on adding its new capabilities into OSV-Scanner as the primary command line interface (CLI)
/image%2F6283631%2F20210518%2Fob_919b9b_ubuntu-software-center-in-kali-linux.jpeg)
