Welcome to the Software Composition Analysis (SCA) service. This page provides essential information about the service including prerequisites, what it covers, the steps involved, how to apply and how your team can benefit. The SCA service helps your team gain visibility into third-party libraries used in your software and identify potential risks related to security vulnerabilities and licensing non-compliance.

This service can be used independently or in combination with other software reviews.

To apply for this service, you will need:

Your application or service listed in the GÉANT Software Catalogue – to help us identify and support your project.

📂 A code repository (e.g. GitLab or GitHub) – to access and analyse your codebase.

👨‍💻 A development team ready for collaboration – to support the setup and ensure analysis results are relevant and actionable.

The Software Composition Analysis service supports your team in detecting and managing risks in third-party libraries. The service includes:

🔧 Tool Setup and Configuration: We help you set up the SCA tool (Mend), configure it for your repository and prepare it for accurate scanning of third-party dependencies.

📑 Software Composition and Risk Reports: The tool produces reports listing third-party libraries, their licences and flags potential security issues. These are reviewed and shared with your team for action.

👨‍🏫 Expert Interpretation: We guide you through the analysis results, explain key findings and help assess the impact. Where needed, we provide follow-up support and coordinate potential subsequent Software Licence Analysis (SLA) for more detailed reviews.

Our goal is to help you manage the risks of using third-party code, stay compliant with licensing obligations and maintain secure software practices.

🔍 One-Time Setup
We run a snapshot analysis of your software’s third-party components and generate a report detailing library usage, detected licences and known vulnerabilities. This helps you understand your project’s external dependencies at a specific point in time.

🔄 Continuous Integration Setup
assist in integrating the SCA tool into your continuous integration (CI) pipeline (e.g. GitLab, Bamboo, Jenkins), enabling continuous monitoring and automated alerts for new third-party components or risks so your team can address issues proactively.

To get started, email us at sw-licences@software.geant.org, post in #sw-licences on the GÉANT Project Slack or submit a Software Review Request via the Help Desk.

Benefits of the service include:

🔹 Visibility into Third-Party Code: Provides a clear view of all third-party libraries in your project, helping you track and manage external components.

🔹Risk Detection and Reporting: Identifies known security vulnerabilities and licence risks in your dependencies using the up-to-date licences and vulnerability database.

🔹Integration with Development Workflow: Continuous Integration Setup embeds the SCA tool into your CI/CD process, enabling real-time feedback and reducing delays in risk detection.

🔹Support for Licence Compliance: Acts as a prerequisite for SLA by ensuring third-party dependencies are known, documented and ready for a thorough review.

  • Do we need technical expertise to use the SCA tool?
    No, we handle the setup, run the analysis and help interpret the results.
  • Is this service only for large projects?
    No, it is suitable for projects of any size.
  • Can the SCA tool be integrated with my current CI/CD platform?
    Yes, it supports GitLab, Bamboo, Jenkins and other platforms.
  • How often should we request an SCA analysis?
    For dynamic projects with evolving technical platforms, regular scans are recommended. For stable or pilot projects, a one-time scan may be sufficient; it can be repeated as needed.
  • What vulnerabilities does the SCA tool detect?
    It detects known vulnerabilities in third-party libraries based on an up-to-date vulnerability database.
  • What happens if a problematic licence is found?
    We provide guidance on how to resolve the issue including choosing alternatives or adjustments in usage.
  • What if we need help understanding the results?
    Reach out to the licensing team. We keep your request open until you fully understand the results and can provide a follow-up session if needed.