Product Overview
Features & Benefits
Integrations & Extensibility
Flexible Deployment
Success Accelerator Services
Product Tour
Software Composition Analysis (SCA)
Flexible Deployment
Success Accelerator Services
Product Tour

Software Composition Analysis (SCA)

SCA is critical for maintaining a strong security posture. SCA tools and techniques are used to examine software applications and identify third-party and open-source components along with their associated security vulnerabilities or legal license restrictions.

Learn More About SCA
Professional Services Overview
Open Source Audit
Open Source Insights
SAST Code Review
Third-Party API Risk Audit
Application Penetration Testing
Code Quality Audit
Tech Due Diligence Services
Software Risk Audits
Third-Party API Risk Audit
Application Penetration Testing
Code Quality Audit
Tech Due Diligence Services
Software Risk Audits
Successful software composition analysis requires not only technology but human expertise as well. This includes open source license auditing, dynamic and static application security testing, architecture risk analysis and other analysis efforts.
Learn More About Software Risk Audits
All Use Cases
Generate Complete SBOMs

Leverage Generative AI Code with Confidence

Streamline Technical Due Diligence

Prevent Intellectual Property Leakage

Streamline Technical Due Diligence

Prevent Intellectual Property Leakage

All Topics
AI-Assisted Coding
Application Security
Development Operations
License and Copyright
Mergers and Acquisitions
Open Source Software
Security Vulnerabilities
FossID Solutions
Open Source Software 101
AI-Generated Code Series
Sushi Bytes Podcast

About FossID

Customer Success

Partner Program

Auditor Big Saves

Careers

News

FossID Auditor Big Saves
Our expert open source auditors have made many “big saves” for our clients – catching unusual and elusive compliance and security issues that could have otherwise been big problems.
Check Out the Auditor Big Saves

Product Update

Introducing FossID Dependency Analysis

Today we announced the general availability of FossID Dependency Analysis 1.0. What is this new tool, and what does it mean for you?

What do you mean by Dependency Analysis?

In FossID’s tools, Dependency Analysis is the process of adding declared open source components, and their associated license and security information, into a Software Bill of Materials (SBOM) by expanding package manager manifests to calculate the direct and transitive dependencies used by your project.

We discuss the differences between declared and undeclared Open Source Software (OSS) and why both should be included in your SBOM in this article.

Did FossID have Dependency Analysis before today?

Since our founding, FossID has contributed to and integrated the OSS Review Toolkit (ORT) to power Dependency Analysis in FossID Workbench. FossID has worked closely with ORT maintainers over the years, some of which are our clients, and we will continue doing so.

What are you introducing and why do I need it?

We’re announcing Version 1.0 of our own Dependency Analysis solution, FossID Dependency Analysis. We built FossID Dependency Analysis to solve three main use cases of interest to our audit team and clients:

  1. Identifying undeclared dependencies. That is, finding dependencies introduced without a package manager such as file-level imports in C, C++, Go, and Python.
  2. Perform “deep scanning” by using the FossID CLI to find licenses and copyrights in declared dependencies that differ from those reported by the package manager.
  3. Performing Dependency Analysis for Blind Scans, our technology for auditing source code without uploading it to the FossID Knowledge Base, to move away from asking audit service clients to share their package manager manifests with us.

We’re appreciative of our audit team, clients, and partners for testing the tool and reporting bugs during its beta stage. Because of their combined efforts we feel confident in its ability to accurately capture these nuanced dependencies in your SBOMs

Do ORT and FossID Dependency Analysis work the same?

The ability to work with Blind Scans, identify undeclared dependencies in source files and archives, and perform “deep scans” of declared dependencies are unique to FossID Dependency Analysis and not available with the ORT-based Dependency Analysis.

That said, a key difference between ORT and FossID Dependency Analysis lies in how declared open source is analyzed. While both use package manager manifests to perform the analysis, ORT uses the installed package managers to process dependencies, while FossID Dependency Analysis emulates package managers by making API calls to the relevant dependency ecosystem. This means FossID Dependency Analysis doesn’t need package managers installed on the Workbench host to analyze declared dependencies.

This results in two tradeoffs when analyzing declared open source – 1) ORT’s reliance on the package manager means the analysis can be configured to mirror more closely what happens during a build by customizing the installed package manager; and 2) ORT can process dependencies stored in private mirrors (such as internal package registries) whereas FossID Dependency Analysis cannot.

If either of these scenarios applies and would affect your ability to use FossID Dependency Analysis, please let us know by submitting a Feature Request in the Support Portal. In the meantime, continue using ORT for those projects and scans that need that support.

So, which one should I use going forward?

FossID Dependency Analysis can be deployed side-by-side with ORT in Workbench, and you can quickly switch between using ORT and FossID Dependency Analysis via the Webapp_Dependency_Analysis_Command setting in the FossID Configuration.

So, while there is some overlap between FossID Dependency Analysis and ORT, you can have them both available to switch between depending on your project. The table below highlights key differences to help you choose the best based on your requirements.

Dependency Sources Supported

FossID Dependency AnalysisORT
Declared Dependencies from Primary Mirrors (Maven Central, etc.)YesYes
Declared Dependencies in Custom or Private RepositoriesNoYes

Detection Capabilities

FossID Dependency AnalysisORT
Declared DependenciesYes (Primary Mirrors only)Yes (Primary and Custom Mirrors)
Customizable Dependency Scopes (i.e. dev)YesYes
Adjust Package Manager VersionYes (via config setting)Yes (via installed package manager version)
Undeclared Dependencies from Import StatementsYes (Python, C/C++, Go)No
File-Level License and Copyright AnalysisYesNo
Dependencies from ArchivesYes (Python Wheels)No

Try it today!

FossID clients can access FossID Dependency Analysis today. To use it with FossID Workbench, make sure you’re running Workbench 23.3 or later, then follow the instructions in the FossID Delivery Portal to deploy it into your system.

Please let the FossID team (support@fossid.com) know if you have any questions.

Documentation

More Product Information

FossID tools offer many features that help you build a comprehensive inventory of components in your software and more.
Powerful SCA Features

FossID tools offer many features that help you build a comprehensive inventory of components in your software and more.

Features & Benefits
Secure and Scalable Deployment

FossID’s Hybrid and Offline deployment models support even the strictest data privacy and confidentiality requirements.

Flexible Deployment
Services to Fast-Track Your Success

FossID’s Audit Services team is available to help you accelerate onboarding and adoption of FossID tools in your environment.

Success Accelerator Services

Talk to a Software Supply Chain Ninja

Book a discovery call with one of our experts to discuss your business needs and how our tools and services can help.

Schedule a Meeting