Services

Software Composition Analysis

Our software composition analysis detects vulnerabilities in open source libraries and provides actionable steps to secure your supply chain.

Software composition analysis for dependency risk you can act on

Insight into every dependency that shapes your build

Software composition analysis (SCA) identifies and assesses the security risk of open source software components and open source libraries within an application’s dependency tree. As defined by OWASP, it supports software supply chain risk management by producing a component inventory cross-referenced against known vulnerability databases. Unlike a secure code review, which examines original application logic for implementation flaws, SCA focuses on components your developers did not write. It gives teams earlier visibility into third-party dependency risk.

When your dependency tree becomes the attack surface

Because blind trust in dependencies isn’t security

In June 2024, a Chinese company acquired the Polyfill.io domain — a JavaScript library embedded in more than 100,000 websites — and immediately injected malicious code into every site loading scripts from it. By July 2024, more than 380,000 hosts remained exposed, including sites operated by major international brands. A software composition analysis that inventoried third-party script dependencies would have identified the external Polyfill.io script dependency and the risk of loading code from a compromised third-party domain before malicious code reached end users.

Read more

For engineering teams managing large codebases, the harder problem is often not finding CVEs but determining which dependencies are actually in use, which exposures are reachable in the current build, and which fixes can be applied safely without breaking production workloads. Risks associated with open source increase as direct and transitive dependencies accumulate across teams, repositories, containers, and CI/CD pipelines.

Gartner Peer Insight Review

Seeing dependency risk in context

Clarity, control, and confidence across your software ecosystem

Swarmnetics assesses the dependency tree through OWASP Dependency-Check and supporting SCA tools, cross-referencing identified components against the National Vulnerability Database (NVD), CVE feeds, and published security advisories to identify vulnerabilities in open source components. The review maps direct and indirect dependencies, package-manager configurations, container base images, and build-time components, showing where third-party risk enters the application stack. Consultants then validate the findings in context, separating inherited noise from dependencies that are actually present, exposed, or relevant to the application environment. Consultants also review maintenance status, version currency, update history, and package source trust signals to identify deprecated or unsupported components early, before they become material software security risks.

Swarmnetics works from dependency manifests and build configurations such as package.json, pom.xml, or requirements.txt, which supports dependency review with limited access. Where full source code access is available, Swarmnetics can map dependencies more deeply to application modules, confirm version usage, and identify components introduced outside standard package manifests. For each finding, consultants assess severity, exploitability, maintenance status, and security posture, then specify the exact version upgrade, patch, or substitution required. The result is not just a tool-generated CVE list, but a prioritised remediation plan that helps teams decide what to fix first, what can be deferred with justification, and where compensating controls may be needed until an upgrade is practical.

Yes, we are CREST accredited

Our core team is based in Singapore and consists of CREST certified penetration testers who are also Offensive Security Certified Professional (OSCP) certified. The team has delivered numerous penetration testing projects for customers in Singapore and other locations, from large multinational enterprises to small and medium business, and across various industries.

Learn more
CREST Pentest

Inside the third-party dependency footprint

Trust begins with knowing. Confidence begins with control.

Every software composition analysis covers:

  • Direct dependencies declared in package manifests
  • Transitive dependencies that direct packages introduce
  • Container base images and their dependency chains
  • Build configuration and CI/CD pipeline dependencies
  • Open-source components with active CVEs or security advisories
  • Outdated components with security patches released but not yet applied
  • Open-source licence obligations and conflicts for each open-source project
  • Software bills of materials (SBOMs) supporting open-source usage and risk management
  • Unmaintained packages with no development activity in the preceding 24 months
  • Supply chain risks from unverified package sources

FAQ

Software composition analysis examines open-source and third-party components your developers did not write, mapping them against known CVE databases and security advisories. A secure code review examines original application logic for implementation flaws. The two services address different risks and are often used together.

Every software composition analysis examines the dependency tree: direct packages in manifests such as package.json, pom.xml, and requirements.txt, plus transitive dependencies, build configurations, and container base images where relevant. Coverage spans major application stacks, including Java, .NET, Python, Ruby, JavaScript, and Go.

Swarmnetics can assess dependency manifests and build configuration files to map open-source components and their versions. Where source code is available, the review can validate deeper dependency chains, package usage, and build-time components.

A vulnerable open-source dependency can expose an application to remote code execution, privilege escalation, or data exposure without changes to your proprietary code. Attackers actively scan for known vulnerable versions in public ecosystems, which is why early dependency analysis matters.

A software composition analysis from Swarmnetics produces a draft report for your review, followed by a final report upon acceptance. Every finding is referenced against CVE identifiers and OWASP Dependency-Check vulnerability findings with a severity rating and specific remediation guidance — including the precise version upgrade, patch, or package substitution required. An executive summary is included for non-technical stakeholders. After you have addressed the findings, Swarmnetics conducts a follow-up review to confirm adequate remediation.

A software composition analysis is relevant to any organisation that develops custom applications or integrates open-source or third-party dependencies into their software. It is particularly important for organisations subject to regulatory, contractual, or industry security requirements, which requires security to be addressed within the software development lifecycle. Swarmnetics recommends conducting a software composition analysis before major releases, after significant code changes, and as a routine part of a secure SDLC programme.

The duration of a software composition analysis depends on the number of dependencies, the application stack, and the depth of transitive dependency analysis required. A typical software composition analysis engagement takes three to five business days, followed by an initial report within five business days for your review.

A software composition analysis is often required for compliance with applicable regulatory, contractual, or industry security obligations where organisations must address security within the software development lifecycle. It provides documented evidence of third-party dependency risk identification and management that regulators and auditors may request.

Every software composition analysis follows a three-phase process. In the planning phase, Swarmnetics agrees the scope and schedule with your team. In the assessment phase, our consultants perform automated dependency scanning using OWASP Dependency-Check cross-referenced against CVE databases to identify security weaknesses. In the reporting phase, we deliver a draft report for review and a final report with specific remediation guidance for every finding.

All Swarmnetics code analysis engagements are conducted by our Singapore-based team of security consultants holding the Offensive Security Certified Professional (OSCP) and CREST Registered Penetration Tester (CRT) credentials. Swarmnetics has been delivering technical security assessments to organisations across Singapore since 2015 and serves as a trusted VAPT partner for leading enterprises across technology, telecommunications, and professional services.

The security assessment report includes specific, actionable remediation guidance for every finding — not generic advice. For each vulnerability, we describe the fix, its priority based on CVSS severity, and any dependencies between remediation steps. Once your team has addressed the findings, Swarmnetics conducts a follow-up retest to verify that each vulnerability has been adequately remediated. The final report confirms closure and provides documented evidence of remediation.