Product Overview
Features & Benefits
Integrations & Extensibility
Flexible Deployment
Success Accelerator Services
Product Tour
Software Composition Analysis (SCA)
Flexible Deployment
Success Accelerator Services
Product Tour

Software Composition Analysis (SCA)

SCA is critical for maintaining a strong security posture. SCA tools and techniques are used to examine software applications and identify third-party and open-source components along with their associated security vulnerabilities or legal license restrictions.

Learn More About SCA
Professional Services Overview
Open Source Audit
Open Source Insights
SAST Code Review
Third-Party API Risk Audit
Application Penetration Testing
Code Quality Audit
Tech Due Diligence Services
Software Risk Audits
Third-Party API Risk Audit
Application Penetration Testing
Code Quality Audit
Tech Due Diligence Services
Software Risk Audits
Successful software composition analysis requires not only technology but human expertise as well. This includes open source license auditing, dynamic and static application security testing, architecture risk analysis and other analysis efforts.
Learn More About Software Risk Audits
All Use Cases
Generate Complete SBOMs

Leverage Generative AI Code with Confidence

Streamline Technical Due Diligence

Prevent Intellectual Property Leakage

Streamline Technical Due Diligence

Prevent Intellectual Property Leakage

All Topics
AI-Assisted Coding
Application Security
Development Operations
License and Copyright
Mergers and Acquisitions
Open Source Software
Security Vulnerabilities
FossID Solutions
Open Source Software 101
AI-Generated Code Series
Sushi Bytes Podcast

About FossID

Customer Success

Partner Program

Auditor Big Saves

Careers

News

FossID Auditor Big Saves
Our expert open source auditors have made many “big saves” for our clients – catching unusual and elusive compliance and security issues that could have otherwise been big problems.
Check Out the Auditor Big Saves

Frequently Asked Questions

What programming languages does FossID support?

FossID’s scanning technology uses a variant of fuzzy hashing to identify matches against our knowledge base. It calculates fuzzy hash values (signatures) for small code fragments or snippets, in addition to standard hash values for full files, and compares them to entries in the knowledge base. Because this method is not tied to any specific programming language, it can identify matches in essentially any language for which relevant data exists in the knowledge base.

The same approach applies to binaries. FossID calculates hash values for entire binaries and compares them against binaries in the knowledge base. It does not, however, calculate or compare hashes for smaller binary fragments or snippets.

Dependency analysis is the one exception. It relies on support for specific package managers and build systems.

How does FossID ensure source code confidentiality and handle data privacy concerns?

FossID’s scanning process is designed to protect source code confidentiality. It uses one-way hash sums, or “digital fingerprints,” calculated for entire files and for individual code snippets. These hashes are non-reversible mathematical functions, meaning it is not possible to reconstruct or derive the original source code from the hash output.

Only these hash values are transmitted from the client to the scan server; the actual source code never leaves the client environment. By default, file and folder paths are included to improve match accuracy, but this option can be disabled. The scan results contain metadata only and are returned in a structured format, ensuring that all source code and intellectual property remain confidential throughout the process.

What is the difference between declared and undeclared open source?

Declared open source refers to those packages (aka components or libraries) that are referenced in a package manager such as NPM, NuGet or Pip. However, packages may also be declared in the source code as well using import declarations. Undeclared open source, however, is not explicitly referenced in any way. Rather, this refers to open source that is pasted directly into the code either in its full form or just a fragment (aka snippet) of the package.

What is the difference between managed and unmanaged open source?

Managed open source simply refers to the usage of open source dependencies via a software package management system. Unmanaged open source refers to open source embedded into the codebase – not referenced within a package manager.

What is the difference between a code snippet and a vulnerable code snippet?

A code snippet refers to a fragment of a known open source or third-party software package found within another codebase as opposed to the package existing in its entirety. Some software packages may have a vulnerability or CVE (Common Vulnerabilities and Exposures). A vulnerable code snippet is the precise fragment of code that causes the package to be vulnerable. In some cases, a code snippet of a vulnerable snippet may be found in a codebase. But, it may or may not be the vulnerable code snippet. The ability to identify a vulnerable code snippet allows developers to prioritize their security patching efforts and save valuable time.

What SBOM standards does FossID support?

FossID supports both System Package Data Exchange (SPDX®) by Linux and CycloneDX, sometimes referred to as CDX by OWASP. SBOM support is continuously updated to keep pace with the standards, various industry-specific profiles, and functionality for ingesting, consolidating and exporting.

What are direct and transitive dependencies?

Simply put, a direct dependency is a third-party software package that a developer includes in their codebase to leverage its functionality. A transitive dependency are those not included by the developer but rather are required by the direct dependency. In short, it is a dependency of the direct dependency.

What is a Virtual Open Source Auditor?

A Virtual Open Source Auditor is an open source auditor that works in a staff augmentation model and so is committed to an organization only a fraction of what a full-time employee would be. The amount of time dedicated and the duration of the agreement varies. FossID offers a Virtual Open Source Auditor to assist clients that use the FossID Software Composition Analysis (SCA) toolset but want additional auditor expertise for a period of time.

What is Baselining?

Starting a new Software Composition Analysis scan of a codebase can be a daunting task. Scanning hundreds of thousands, or millions, of lines of code; and then auditing the results is neither a simple or quick task. Baselining is a service provided by FossID’s team of Open Source Auditors that takes advantage of the many years of past audits and open source software component (package) matches they’ve already completed. The Baselining service gives you a major jumpstart if you plan to do the audits on your own.

What is a Custom Volume?

A Custom Volume is a user-defined dataset within the FossID Knowledgebase that lets you scan against code and data you choose such as proprietary IP, third-party code, or legacy systems. It extends FossID’s deep signature scanning and analysis beyond the standard knowledgebase, enabling tailored use cases like detecting IP leakage, validating open-source adoption, and monitoring legacy code for the latest known vulnerabilities.

Talk to a Software Supply Chain Ninja

Book a discovery call with one of our experts to discuss your business needs and how our tools and services can help.

Schedule a Meeting