A curated list of Software Component Analysis (SCA) books, courses - free and paid, videos, tools and tutorials. SCA is a technique to find third party vulnerable components used in your code.

Contributions welcome. Add links through pull requests or create an issue to start a discussion.

• Books
• Articles
• Courses
• Free Tools
• Commercial Tools
• Vulnerability Databases
• References
• Credits
• Contributing

• Securing Open Source Libraries By Guy Podjarny

• Component Analysis from OWASP
• Guide to Software Composition Analysis (SCA) by Snyk

Courses/videos on SCA.

• Software Composition Analysis Deep Dive by Ulisses Albuquerque

• DevSecOps Professional by Practical DevSecOps
• SANS 540 - Cloud Security and DevSecOps Automation

Client Side Libraries:

• Retire.js

Backend Libraries:

• NPM Audit
• AuditJS

• bundler-audit
• Chelsea

• Dependancy-Check

• Safety from Pyup

• Local PHP Security Checker

• Nancy

• dotnet CLI
• Dependancy-Check
• WhiteSource Bolt (Free offering that currently works within Azure DevOps or GitHub)

Most commercial SCA tools support multiple programming languages like Java, Python, Ruby, Go, PHP,.NET,Scala and license scans.

• Snyk
• SourceClear
• Sonatype
• BlackDuck
• Contrast Security
• WhiteSource
• Whitehat SCA
• Debricked

• National Vulnerability Database
• Snyk Vulnerabilitydb
• VulnDB Data Mirror
• NIST Data Mirror
• Exploit Database

• This repo is based on the original work done by our friend @raghunath24

Please refer the guidelines at contributing.md for details.