Software composition analysis (SCA) refers to tools that provide visibility into the open source usage in a company’s software. SCA tools detect all open source components, including direct and transitive dependencies, so that you can ensure license compliance and manage security vulnerabilities. Automation is an important part of SCA, particularly when it comes to prioritizing and remediating security vulnerabilities. SCA helps companies manage the risks associated with open source components use.
When choosing a software composition analysis tool, you need to consider both governance requirements and developer support, since without developers’ adoption there will be no remediation. Some of the solutions I have looked at are stronger in one area than the other. The best solutions are the ones that balance both governance and developer tools and can easily scale to meet your team’s growing needs.
This article looks at the most popular SCA tools: WhiteSource, Synopsys/Black Duck, Snyk, and Sonatype. Forrester research considers WhiteSource and Synopsys the market leaders, while Snyk and Sonatype are in the strong performer’s category.
WhiteSource provides a well-integrated, easy-to-use tool that works right out of the box. It offers broad language support of more than 200 languages and gives you full visibility into your open source components, which include vulnerabilities, licenses, and dependencies. One of WhiteSource’s most impressive features is Prioritize—its so-called effective usage analysis tool. Prioritize allows you to rank security vulnerabilities based on severity so you can focus first on remediating vulnerabilities that present the biggest risk. WhiteSource is highly scalable, and users report that it has a negligible impact on the build regardless of size.
When it comes to developer tools, WhiteSource has a broad portfolio. The company supports all the major IDEs and repositories. It also has a browser integration that lets developers see an open source component’s details — known vulnerabilities, quality scores, whether the component is currently in use within the organization — before downloading it to their repository.
Developers also like WhiteSource’s auto-remediation tool, which continuously looks for outdated libraries and offers automated fix pull requests for quicker remediation.
One of WhiteSource’s blind spots is its lack of a true free trial. Instead of self-service, WhiteSource requires you to configure its software with a sales engineer, which makes the process a bit more time-consuming. Despite this minor nuisance, WhiteSource is about 20% less expensive than the number-two ranked solution, and it provides a solid foundation of both governance and developer tools.
Synopsys/Black Duck has been in the application security testing market the longest of any of the solutions reviewed here and has a wide portfolio of application security testing tools, which includes static application security testing (SAST), interactive application security testing (IAST), and fuzz testing. Currently, Synopsys’s governance solution is the best on the market. It offers the most advanced reports and flexible policies available today.
Unfortunately, all this comes at a price. Synopsys costs roughly 20% more than WhiteSource. In addition, the onboarding process for Synopsys is notoriously long and complex. It can take companies from several months up to a year to be fully integrated and to access all the available reporting. On the licensing side, companies that need more complex licensing scans must buy additional Black Duck products.
Synopsys also falls short on the developer side. It offers no ability to prioritize vulnerabilities, its fix recommendations are limited, and users complain of a high false-positive rate for vulnerabilities. Some large enterprise customers have also reported scalability issues and claim that running Synopsys has an impact on the build.
Overall, Synopsys provides a solid solution — especially when it comes to governance — but considering its expense, I wonder whether it’s worth the upcharge.
As the relative newcomer on this list, Snyk touts itself as a developer-first security solution, and developers do report that Snyk is easy to use. Snyk offers a straightforward integration into the SDLC with support for all the major IDEs, auto-remediation of security vulnerabilities, and visualization of dependencies. For some high-impact vulnerabilities in open source libraries that don’t have a direct upgrade path, Snyk provides custom patching. Snyk is also strong when it comes to container security, offering a one-stop-shop for both open source software and configuration security issues for containers.
Despite its focus on developers, Snyk only supports nine programming languages and doesn’t support source files or C/C++. In addition, there is currently no browser support.
One area in which Snyk is behind the competition is in its governance solution. Snyk needs better out-of-the-box audit and risk reporting. Customers report that Snyk’s policies are not yet robust enough to handle all their compliance needs. Right now, Snyk’s governance offering simply isn’t mature enough, and the company needs to invest in it.
If you’re looking to encourage hesitant developers to begin remediating open source software vulnerabilities during development, then Snyk might be a good fit for you. If your needs go beyond the developer to security professionals or legal teams, you might find Snyk isn’t quite enterprise-grade and doesn’t meet your more demanding expectations.
In contrast to Snyk, Sonatype’s offerings are more focused on governance than developer tools. Sonatype provides vulnerability management across the software development life cycle, basic license detection, and compliance management. Compared with the top three SCA vendors, however, Sonatype’s compliance offering is relatively weak. The solution offers limited remediation and does not currently support effective usage analysis.
As mentioned above, developer tools aren’t Sonatype’s area of strength. Sonatype is integrated with all the main IDEs and repositories, but detection, remediation, and alerts are all somewhat limited. Support for programming languages is also lean with only 10 languages supported.
Sonatype offers a vast number of products under its Nexus umbrella. If you’re an existing Nexus customer, Sonatype’s solution may be a good fit. If you’re not a current customer, pricing and licensing make choosing the right solution a challenge. Before you choose Sonatype, you need to assess your company’s maturity level and ask yourself whether you simply want visibility into your open source usage or whether you need full control over your open source components so that you can remediate and manage your risk.
Software developers. Security experts. DevOps. Legal teams. Sales. CFOs. SCA solutions often touch multiple teams. Choosing the right software composition analysis solution changes depending on your company’s focus and who in your organization needs visibility into your open source use. Because of this, you need to thoroughly understand who is managing your open source code and how they are using it before you choose the solution that is right for you. It is all about striking a balance between governance and developer tools.
Of the four solutions I looked at, both Snyk and Sonatype have their advantages. Snyk is great for developers but falls short in other areas. Sonatype is a strong player on the governance side but disappoints with its developer tools. Unfortunately, neither is quite robust enough to be called an enterprise-ready solution.
WhiteSource and Synopsys provide mature, enterprise-ready SCA solutions. Synopsis is at the top of governance. However, WhiteSource’s ability to prioritize open source vulnerabilities as well as its price tag, which is about 20% less than Synopsys, makes it the clear leader in the SCA market. For me, WhiteSource strikes the best balance between mature governance and strong developer tools.