Publication

Abstract :

Open-source dependencies are critical to secure, especially in a time where security of software supply chain is a pertinent issue. This paper proposes a novel Software Composition Analysis (SCA) that attempts to mitigate risks in modern software ecosystems by integrating the real-time detection of vulnerabilities, security validation, and compliance enforcement. The proposed solution uses dependency tree analysis, to map direct and transitive dependencies, verifying such dependencies against authoritative vulnerability databases like the NVD, OSV, and GitHub Security Advisories. To further enhance the security posture, the framework also provides SAST & DAST for proactively scanning insecure code patterns and runtime vulnerabilities. Cipher Suite Analysis evaluates encryption strength by detecting weak cryptographic settings, while container security scanning (Trivy) secures the deployment environment. License compliance through SSL handshake analysis would also serve to diminish the legal risk cases of open-source components. This implementation is fully automated for setting continuous security integration with CI/CD tools (Jenkins, GitHub Actions), enabling monitoring and real-time updates of threat intelligence. The experimental setup tested the system against 50+ open-source repositories of diverse dependency depths and showed a 37% improvement in undetected vulnerabilities. By linking automation, security intelligence, and compliance enforcement, it follows critical gaps in modern software development, making this framework a viable and industry-relevant solution for software supply chain security. It shows promise for hardening application against dynamic threats, thereby nurturing trust, resilience, and forward-looking cyber security in a vast interlinked ecosystem.