← CRA Glossary
Technical Security

Software Composition Analysis (SCA)

Software Composition Analysis (SCA) is the automated process of identifying open-source and third-party components in a codebase and checking them against known vulnerability databases to detect security risks. SCA is the primary technical mechanism for meeting the CRA's requirement that manufacturers identify and manage vulnerabilities in their products' components.

Software Composition Analysis (SCA) is the automated process of identifying open-source and third-party components in a codebase and checking them against known vulnerability databases to detect security risks. SCA is the primary technical mechanism for meeting the CRA's requirement that manufacturers identify and manage vulnerabilities in their products' components.

Technical Security
Free CVD portal →

What Is Software Composition Analysis?

Software Composition Analysis (SCA) is an automated security testing discipline that scans a codebase, build artefact, or binary to identify all third-party and open-source components — libraries, frameworks, modules, and their transitive dependencies — and then cross-references each identified component against vulnerability databases (CVE/NVD, OSV, vendor advisories) to detect known security issues. SCA tools can also identify licence compliance risks. Modern SCA is integrated into CI/CD pipelines so that vulnerability checks run automatically at every build, providing developers with near-real-time feedback on newly discovered vulnerabilities in components they already use.

CRA reference:Article 13(5), Annex I Part I(2)(f)

Why SCA Is Essential for CRA Compliance

Article 13(5) of the CRA requires manufacturers to identify and document the components contained in their products, and Annex I Part I(2)(f) requires manufacturers to address vulnerabilities in those components. SCA is the scalable mechanism that makes both obligations achievable. Without SCA, manually tracking hundreds of dependencies across multiple product versions and monitoring each for new CVEs is operationally infeasible. SCA tools automatically generate SBOM artefacts (in CycloneDX or SPDX format) as a build output and alert when any component has a newly disclosed vulnerability — providing the actionable intelligence needed to meet the CRA's patching obligations without undue delay.

CRA reference:Article 13(5), Annex I Part I(2)(f)

How Manufacturers Implement SCA

Effective SCA implementation requires integration at multiple points in the development lifecycle. During development, SCA should run on every pull request, blocking merges when newly introduced components carry critical vulnerabilities. In CI/CD pipelines, SCA should run on every build and fail the build on policy violations (e.g. new critical CVEs). At release, SCA output should generate the SBOM that accompanies each product version. Post-release, manufacturers should subscribe to vulnerability feeds and configure SCA tooling to alert the product security team when any component in a shipped product receives a new CVE. This continuous monitoring is what enables the timely patch response that the CRA requires.

CRA reference:Article 13(3)(5), Annex I Part I

Common Mistakes

The most common SCA implementation error is scanning only direct dependencies and missing transitive (indirect) dependencies — which often constitute the majority of a product's open-source exposure. Another error is treating SCA as a development-phase activity only: manufacturers must also monitor components in shipped products after release, as new CVEs are discovered in already-integrated packages continuously. A third mistake is configuring SCA to alert without establishing a defined remediation process: an alert that no one acts on provides no compliance benefit. Finally, manufacturers sometimes rely on package manager manifests alone, missing components bundled as binaries or copied source files.

CRA reference:Article 13(5)

CVD Portal makes Software Composition Analysis (SCA) compliance straightforward.

Public CVD submission portal, acknowledgment tracking, Article 14 deadline alerts, and CSAF advisory generation. Free forever for EU manufacturers.

Start your free portal

Frequently asked

Is SCA the same as vulnerability scanning?+

They are related but distinct. Vulnerability scanning typically refers to scanning a running system, network, or host for known vulnerabilities using active probing techniques. SCA analyses source code, build manifests, or binary artefacts to identify the open-source components they contain and match them against vulnerability databases — without requiring a running system. Both are valuable; SCA focuses specifically on the supply chain risk from third-party components, while vulnerability scanning assesses the broader deployed system.

What output does SCA produce for CRA compliance purposes?+

SCA tools typically produce: (1) an SBOM listing all identified components with versions, licences, and vulnerability status; (2) a vulnerability report mapping each component to its known CVEs with CVSS severity ratings; and (3) a policy evaluation result indicating whether the product meets the manufacturer's configured security policies (e.g. no critical unpatched CVEs). The SBOM output is directly relevant to the CRA's Article 13(5) documentation requirement. The vulnerability report feeds the remediation process required by Annex I Part I(2)(f).

How often should SCA be run on products already in the market?+

For products already placed on the market, manufacturers should run SCA checks at minimum when new CVEs are published against components in their product. In practice, this means subscribing to vulnerability feeds (NVD, OSV, vendor advisories) and re-evaluating the SBOM against new disclosures continuously. Most SCA platforms offer scheduled re-scanning and alerting on new CVE disclosures for existing SBOMs. Given the CRA's obligation to address vulnerabilities 'without undue delay', a re-scan interval of no more than 24 hours for critical vulnerability feeds is advisable.

Related terms

Software Bill of Materials (SBOM)An SBOM is a formal, machine-readable inventory of all software components — including open-source libraries, third-party dependencies, and firmware packages — that make up a product. The EU Cyber Resilience Act requires manufacturers to maintain an SBOM as part of their technical documentation.Software Supply Chain SecuritySoftware supply chain security encompasses the practices and controls that ensure the integrity, authenticity, and security of all software components — open-source libraries, commercial off-the-shelf modules, and development toolchains — that are integrated into a product. The CRA places explicit obligations on manufacturers to manage supply chain security throughout the product lifecycle.Vulnerability ScanningVulnerability scanning is the automated process of probing systems, networks, or applications to identify known security weaknesses by comparing observed configurations and software versions against databases of known vulnerabilities. It provides continuous visibility into a product's security posture and supports the CRA's requirement that manufacturers monitor and address vulnerabilities throughout a product's lifecycle.Common Vulnerabilities and Exposures (CVE)CVE is a public catalogue of known cybersecurity vulnerabilities, each assigned a unique identifier (e.g. CVE-2024-12345) maintained by MITRE. Under the CRA, manufacturers are expected to track CVEs affecting their products and report actively exploited vulnerabilities to ENISA.

CRA articles using this term

Article 13Coordinated Vulnerability Disclosure Obligations for ManufacturersAnnex IEssential Cybersecurity Requirements for Products with Digital ElementsArticle 10Obligations of Manufacturers — Product Security by Design

Browse the full CRA Compliance Checklist

See how Software Composition Analysis (SCA) fits into your complete CRA compliance programme.

View checklists →