Software Composition Analysis

Don’t let your SOUP decompose

A popular topic over the last few years is software bill of materials (SBOM). A sensible step in summarizing your software inventory in an attempt to hinder hackers in the fight against cybercrime. However, the steps leading to the creation of SBOMs are arguably more important than the end result. Particularly when the number of third-party software items in modern medical devices or automotive products is increasing significantly. In this blog we look at the benefits of Software Composition Analysis (SCA).

The Background

As the number of third party software components integrated into modern embedded devices has increased significantly over the last few years. Commercial off the shelf software (COTS) or software of unknown provenance (SOUP) as it is known in the medical device sector is a key part of the software landscape nowadays. Third party software that is built on third party software is the norm. Where did this code come from? How was it developed? And did the COTS use proprietary code? Are just a few of the questions posed. SCA tools enable these questions to be answered.

The components and materials used in safety-relevant industries must be documented in a traceable manner and the manufacturers must be aware what they build in in their products. If there is a problem with hardware components or materials, the manufacturer may be notified by its supplier or might identify the problem during incoming inspection by performing measurements. In the case of software companies, the suppliers usually do not know who is using their SOUP in products and therefore cannot inform the manufacturers directly about any malfunctions or vulnerabilities. Although software verification activities help to identify malfunctions and vulnerabilities, not all problems in a SOUP can be found by the manufacturer. To keep an eye on integrated SOUPs in safety- relevant code manufacturers should perform a SCA and should evaluate security, quality, and license requirements of the implemented SOUPs.

Choosing the right COTS or SOUP

For the majority of medical device manufacturers, the activity of analysing SOUP is well known. The potential for third party software to result in an unacceptable risk is analysed through IEC 62304 and ISO 14971. Part of the ISO 14971 Risk Management Plan should define the expected SCA outcomes, and these shall be summarized in the Risk Management Report.

Each IEC 62304 and ISO 26262 training course we offer has a section about the importance of requirements. If you want to learn more, you can visit our website to find the upcoming training dates. You can also contact us and request your own personalized requirement training course or consulting services.

Learn more

The problem with licenses

Thinking of the hundreds of SOUPS used in a standard software development project, the SCA can be a time- consuming task. Especially if you do not have a huge legal department reading through license agree, engineers might also be overwhelmed with license agreements and – let’s be honest – you don’t become a software engineer because you like reading license agreements.

In recent years, more and more companies have emerged who specialize in buying open-source SOUPs and suing the manufacturer using these SOUPs in the event of license violations and getting justice in court. The penalties can run into the millions and mean ruin for some companies. Even if a SOUP is open source, that doesn’t automatically mean that you can use the SOUP as you wish. Many license agreements contain clauses that in the case of commercial use the manufacturer of the SOUP should be identified somewhere in the software or in the accompanying documentation. Some license agreements generally exclude commercial use of the SOUP.

SOUPs as a gateway for hackers

Unidentified vulnerabilities in SOUPS are gateways for hackers to access your software. A “famous” vulnerability that came up in 2021 was the Log4J vulnerability where hackers could inject malicious code and caused a remote code execution. Log4J is a java- based logging utility used to log messages within software and is used as a SOUP in several software projects.

This is where the SCA comes into play

A manual inspection of all used SOUPs for security, quality or license issues is not practical. SOUPs evolve and different versions of the SOUPs might be used in the manufacturers code. Tools were developed by different suppliers that scan your software code for open- source software and provide you with a SBOM. The SCA tools search for known security, quality or license issues associated with the identified SOUPs in vulnerability databases (e.g., National Vulnerability Database or Black Duck Knowledgebase) and provide you a SBOM.

SCA should ideally be run as soon as any new software is defined for the build rather than just before the baseline, hence allowing time to remedy any non-conforming code.

Avalaible Tools

There are a lot of SCA tools available on the market with a wide price range. The next section of this blog discusses the advantages and disadvantages of some of the tools and the experience our customers had with the tools.

Synopsys is the market leader and offers with Black Duck a comprehensive solution for managing security, license and quality issues arising from SOUPs. Synopsys maintains its own vulnerability database, which, according to Synopsys, goes beyond the content of other vulnerability databases.

The Synopsys analysis is based on a dependency analysis, code print analysis, a binary analysis, and a snippet analysis. The dependency analysis tracks declared and transitive dependencies. The code print analysis compares strings, files, and directory information to the database to identify the COTS or SOUP. The identification of compiled open-source code is done with the binary analysis. The snippet analysis avoids license issues by searching for copied code.

Black Duck provides you with a first- party SBOM and a third- party SBOM. The first- party SBOM is produced by a software builder and tracks dependencies and risks of the own software code. The third- party SBOM lists third- party software code and its dependencies and risks. Synopsis makes customized offers and has no pricing published.

Another popular SCA tool is Snyk. Snyk also established an own Snyk Vulnerability database. Snyk claims itself as the most developer- friendly SCA tool on the market. The claims are based on an intuitive and easy setup of Snyk and the possibility to integrate Snyk in existing workflows. Snyk can be integrated in the requirement management system Jira. Snyk offers a free trial and charges $ 52 per contributing developer/ month. For enterprise customized offers are made.

A tool that focuses on vulnerability detection in Java applications is Azul. Azul does not support license or code quality issues. Azul receives its information about vulnerabilities from the National Vulnerability Database. The pricing is based on the chosen support level and start at $6,000 per year for 250 vCores in the server variant and $14,000 per year for the standard support. Individual offers are made for the prime support. A free version is also available.

Cybellum not only creates SBOMs but offers the possibility to summarize SBOMs from different sources. Cybellum maintains these SBOMs in an own SBOM library. Cybellum also provides the possibility to validate compliance with regulatory requirements for different industries (e.g., automotive, medical devices). Cybellum has no solution for license clearing or detecting code quality.

An open – source solution is the OSV scanner developed by Google. This solution also provides its own database for vulnerabilities including – beside other databases- GitHub Security Advisories, PyPA, RustSec and Global Security Database. The OSV scanner focuses on vulnerabilities and does not offer support for license clearing or code quality.


There are many SCA tools on the market that offer different possibilities. Before starting the search for a SCA tool, you should summarize your expectations of the tool and derive requirements. The requirements are also necessary for the SCA validation, as the tool has critical influence on your product quality.

SCA should be supported by a tool, as manual SCA is too time consuming. Some manufacturers who have the capacity available write their own SCA tool but the available solutions on the market are already mature

Manufacturers should not see SCA as an overhead required by some auditors but as a method to produce safe and secure software code. Before purchasing a SCA tool you should identify your requirements on the tool and evaluate different tools. The SCA offers the benefit of improved security by identifying vulnerabilities and ensures compliance with legal requirements in safety- related industries. Another advantage is the identification of license violations, which can save a lot of money. The manufacturers can be comfortable that the chosen SOUPs are secure and reliable.

By Verena Wieser, Medical Device Consultant & Alastair Walker, Consultant & Owner

If you want to find out more about SCA or join one of our Cybersecurity, IEC 62304 or ISO 26262 training courses, please do not hesitate to contact us!



We look forward to hearing from you.

    Show privacy policy