Public Report: SCA for Containers

Containers revolutionized the software development and deployment process. But there are still practical concerns, especially related to software supply chain integrity and security, that require improvements.

Software Composition Analysis (SCA) identifies components used in software applications and systems, their licensing, and origin. SCA addressesn for software supply chain concerns like SBOMs, which is increasingly important for distributed, containerized systems. Detecting licenses and origin is critical for legal and cybersecurity compliance.

Many open source and proprietary SCA tools are marketed specifically for containers. After testing many open source and proprietary tools, we completed a project comparing the accuracy, depth, and breadth of these tools’ detection capabilities. The results were not always good.

The policy for many organizations is to clear the licensing for all software files redistributed in its products. But clearing the licensing for container images is particularly challenge, because containers typically contain thousands of files including many binary files, which in turn are built from even more source files, and the traceability for container image files origin is highly variable.

This Container SBOM Clarity Project Public Report compares the accuracy and quality of SBOMs produced by proprietary tools vendors and open source projects, based on an analysis of container images. The approach was to create a curated, authoritative baseline software component origin and license analysis of each container image, and use this as the reference to compare tool results.

To access the report, complete the form on this page. You will receive an email from hello@nexb.com with the report attached. 

To access the Container SBOM Clarity Project Public Report, complete the form on this page. You will receive an email from hello@nexb.com with the report attached.