Public Report: SCA for Containers

Containers revolutionized the software development and deployment process. But there are still practical concerns, especially related to software supply chain integrity and security, that require improvement.

Software Composition Analysis (SCA) identifies components used in software applications and systems, and detects their licensing and origin. SCA addresses software supply chain concerns like SBOMs, regulatory requirements, and cybersecurity compliance. These are increasingly important for distributed, containerized, and cloud native systems. Many open source and proprietary SCA tools are marketed specifically for containers.

A recent nexB project compared SBOMs produced from open source and proprietary SCA tools to evaluate the accuracy and completeness of the tools. The evaluation covered SBOM format, component identification, and license detection. There were significant issues for all of the SCA tools.

The Container SBOM Clarity Project Public Report explains the evaluation process in detail and provides the results in two dimensions: by container image and by SCA tool. It also provides detailed and actionable recommendations for improving the SCA tools.