awesome-sca

A comprehensive list of Software Composition Analysis Tools.

Following repo contains a collection of SCA tools which can be used to analyze risks in third party components which were used as part of code. Feel free to add up any new tools.

**Note: ©️ stands for proprietary sofware, Rest belongs to Free and Open Source softwares. **

Table of Contents

• Programming Languages
• Multiple Languages
• Vulnerability Databases
• SCA Platform
• Books
• Vulnerable Apps
• References

Programming Languages

Javascript

• Retire.js

Ruby

• bundler-audit

Multiple Languages

• BlackDuck ©️ Open source software security audit
• Bytesafe ©️ Discover and manage vulnerabilities in your dependencies
• Contrast Security ©️
• Debricked ©️
• Dependancy-Check - OWASP Dependancy-check supports Java, .Net. Additional experimental support has been added for Ruby,Node.js,Python and Limited C/C++ build systems.(autoconf and cmake)
• Flexera ©️
• nexB ©️
• OpenSCA - Apache License 2.0, OpenSCA is intended for scanning the third-party component dependencies and vulnerabilities.
• RogueWave ©️
• Snyk ©️ continuously find and fix vulnerabilities in your depandancies. it supports JS,Java,Python,Ruby,Go,PHP,.NET,Scala etc.
• Sonatype ©️
• Veracode ©️ (formerly SourceClear) - Thirdparty component analysis for Java, Ruby, Javascript, PHP, Python, Scala, Kotlin, C/C++, Objective C, Swift, Go, and .NET
• WhiteSource ©️ - Secure your opensource components for C#,Java,C++,.NET,PHP,Python,Ruby,Docker,nodejs,Javascript etc.
• Whitehat SCA ©️

Vulnerability Databases

• Debricked Vulnerability Database
• Exploit Database
• National Vulnerability Database
• Snyk Vulnerabilitydb
• VulnDB Data Mirror
• NIST Data Mirror

SCA Platform

• Dependancy Track

Books

• Securing Open Source Libraries By Guy Podjarny

Vulnerable Apps

Javascript

• goof

Java

• java-goof

References

Articles

• Choosing a tool to track and mitigate open source security vulnerabilities