Learn English vocabulary for Software Composition Analysis (SCA): Snyk, FOSSA, Black Duck, open source license compliance, GPL copyleft, REUSE specification, and dependency graph scanning.
0 / 5 completed
1 / 5
SCA (Software Composition Analysis) tools like Snyk, FOSSA, and Black Duck primarily help organisations:
SCA tools scan your code and dependency manifests to build a component inventory, then cross-reference it against vulnerability databases (CVEs, OSS advisories) and a license database — giving security and legal teams visibility into risk.
2 / 5
'Copyleft' in open source licensing (e.g., GPL) means:
GPL copyleft is a 'viral' condition: if your product ships GPL-licensed code, your product's source must also be available under the GPL. This is a major concern for commercial software — SCA tools flag GPL components in products that are not open source.
3 / 5
A 'license risk' classification of 'high risk' for a dependency typically indicates:
SCA tools classify licences by business risk. Permissive licences (MIT, Apache 2.0) are low risk. Weak copyleft (LGPL) is medium risk. Strong copyleft (GPL, AGPL) is high risk for proprietary products because shipping GPL code can require open-sourcing your entire product.
Dependabot monitors your dependency manifests and lockfiles. When a vulnerability is published for a package you use, it opens a PR with the patched version. It also opens PRs for regular version updates if configured, keeping the dependency tree current.
5 / 5
The REUSE specification (from the FSFE) addresses open source compliance by requiring:
REUSE defines that every file should have copyright and SPDX licence headers, and full licence texts live in a LICENSES/ folder. A reuse lint tool validates compliance. This makes SCA tools' work reliable — they can definitively identify the licence of every file, not just the package as a whole.