ProGet x SCA
ProGet Overview > Software Composition Analysis
What is Software Composition Analysis?
Software Composition Analysis (SCA) is the automated process of identifying which third-party libraries, open-source packages, and other dependencies that your applications use.
The identified packages are compiled into a Software Bill of Materials (SBOM), which is then compared against a variety of databases, including the National Vulnerability Database (NVD). The packages are then scanned for licenses and matched against compliance rules.
ProGet is a Universal Package Manager and Private Docker Registry that centralizes your organization’s applications, components, and third-party packages and containers. ProGet secures access to the technology you’re already using, including NuGet, npm, PowerShell, Chocolatey, maven, Docker, and more.
ProGet is self-managed, which means you can download and install on-premise or in the cloud. It can work offline, and is easy to manage in both Windows and Linux environments.
Rising Needs for Software Composition Analysis
- 90% of modern applications use open-source software (OSS)
- Applications use 147 OSS components on average
- OSS vulnerabilities like log4j are rising year over year
- Supply Chain Attacks that target these components are increasing
- SBOM is becoming the standard for due diligence and distributing software
ProGet’s Features for Software Composition Analysis
ProGet automates the discovery of vulnerabilities in your applications, and offers actionable insights to help assess and remediate them.
This is done by scanning third-party packages and Docker container images that you use against vulnerability databases like the National Vulnerability Database.
ProGet can also block package usage by automatically assessing vulnerabilities based on the CVE Score or your team’s manual assessment.
License Detection & Blocking
ProGet can automatically detect the license agreement that a package is using, and show you which of your applications are using which open-source licenses.
You can also create rules to block packages with unwanted licenses (such as GPL-3) so that developers don’t accidentally incorporate them into a new project.
Track Package Usage
ProGet helps you track your organization’s open-source and third-party components (packages), and helps you identify issues like vulnerabilities, license violations, and missing packages.
This gives you invaluable insight into which versions of your applications are using which open-source packages and allows you to quickly identify the impact of critical bugs or security vulnerabilities discovered in open-source libraries.
Continuous Releases Analysis & Issues
After integrating ProGet into your CI/CD pipeline, ProGet will routinely analyze your releases (both in-flight and in production) for new vulnerabilities or unwanted licenses in the packages it uses.
When ProGet discovers a problem with a package in a release, an “issue” will be created, you’ll be notified, and you can work with your team to assess and resolve it .
Automatically Generate SBOM
You can import and export SBOM documents for a release in ProGet from the ProGet web UI or using the API.
When exporting an SBOM document, ProGet will merge metadata from the information stored in ProGet (such as the project name, release number, package licenses, etc.) as well as any additional component metadata found in the imported SBOM documents.
Direct Support from Product Engineers
We hate Helpdesk Hell just as must as you, which is you you’ll work directly with our engineers—the very same people who built our products and can change them.
From fast action on tickets to regular monitoring of Forums to an outrageously accessible CEO, we’re ready to help and listen.
Get Started with Software Composition Analysis
To help you evaluate ProGet’s Software Composition Analysis features, we’d be happy to provide a personalized demonstration. We can also provide a trial license if you’d like to try out some of the features that aren’t available in the free edition.