Tool or Toy: Are SCA tools ready for challenging scenarios?

IF 5.4 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security Pub Date : 2025-08-09 DOI:10.1016/j.cose.2025.104624

Congyan Shu , Wentao Chen , Guisheng Fan , Huiqun Yu , Zijie Huang , Yuguo Liang

{"title":"Tool or Toy: Are SCA tools ready for challenging scenarios?","authors":"Congyan Shu , Wentao Chen , Guisheng Fan , Huiqun Yu , Zijie Huang , Yuguo Liang","doi":"10.1016/j.cose.2025.104624","DOIUrl":null,"url":null,"abstract":"<div><div>The widespread adoption of open-source software (OSS) has introduced new security challenges to the software supply chain. While existing studies confirm the basic capabilities of Software Composition Analysis (SCA) tools, such as vulnerability detection and dependency resolution. They often focus on single ecosystems or detection aspects. This limited scope overlooks real-world complexities, including multi-language ecosystems, source and binary dependencies, and adversarial threats. Without a comprehensive evaluation, SCA tools may perform well in controlled settings but struggle in more complex scenarios. To address this gap, this study proposes a evaluation framework centered on the core functionalities of SCA tools: dependency detection, vulnerability identification, and license inspection. It covers three key dimensions including multi-language ecosystems compatibility, build forms, and attack defense. Using standardized datasets and quantitative metrics, such as precision, recall, F1-score and standard deviation, we evaluate four representative SCA tools, including both open-source and commercial options. Results reveal significant limitations in binary dependencies, language coverage, and license consistency. SCA tools also face challenges in balancing precision, coverage and robustness. The study highlights systemic shortcomings in current SCA tools, revealing that many perform like limited-use toys under real-world conditions. It offers data-driven recommendations to guide the evolution of these tools into practical, reliable solutions for supply chain security governance.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"158 ","pages":"Article 104624"},"PeriodicalIF":5.4000,"publicationDate":"2025-08-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computers & Security","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S016740482500313X","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

The widespread adoption of open-source software (OSS) has introduced new security challenges to the software supply chain. While existing studies confirm the basic capabilities of Software Composition Analysis (SCA) tools, such as vulnerability detection and dependency resolution. They often focus on single ecosystems or detection aspects. This limited scope overlooks real-world complexities, including multi-language ecosystems, source and binary dependencies, and adversarial threats. Without a comprehensive evaluation, SCA tools may perform well in controlled settings but struggle in more complex scenarios. To address this gap, this study proposes a evaluation framework centered on the core functionalities of SCA tools: dependency detection, vulnerability identification, and license inspection. It covers three key dimensions including multi-language ecosystems compatibility, build forms, and attack defense. Using standardized datasets and quantitative metrics, such as precision, recall, F1-score and standard deviation, we evaluate four representative SCA tools, including both open-source and commercial options. Results reveal significant limitations in binary dependencies, language coverage, and license consistency. SCA tools also face challenges in balancing precision, coverage and robustness. The study highlights systemic shortcomings in current SCA tools, revealing that many perform like limited-use toys under real-world conditions. It offers data-driven recommendations to guide the evolution of these tools into practical, reliable solutions for supply chain security governance.

查看原文本刊更多论文

工具还是玩具：SCA工具是否为具有挑战性的场景做好了准备？

开源软件（OSS）的广泛采用给软件供应链带来了新的安全挑战。现有的研究证实了软件组合分析（SCA）工具的基本功能，例如漏洞检测和依赖项解析。它们通常关注单一生态系统或检测方面。这种有限的范围忽略了现实世界的复杂性，包括多语言生态系统、源代码和二进制依赖关系以及对抗性威胁。如果没有全面的评估，SCA工具可能会在受控的设置中表现良好，但在更复杂的场景中表现不佳。为了解决这一差距，本研究提出了一个以SCA工具的核心功能为中心的评估框架：依赖检测、漏洞识别和许可证检查。它涵盖了三个关键维度，包括多语言生态系统兼容性、构建形式和攻击防御。使用标准化的数据集和定量指标，如精度、召回率、f1分数和标准差，我们评估了四个代表性的SCA工具，包括开源和商业选项。结果揭示了二进制依赖关系、语言覆盖范围和许可一致性方面的重大限制。SCA工具在平衡精度、覆盖范围和健壮性方面也面临挑战。该研究强调了当前SCA工具的系统性缺陷，揭示了许多工具在现实条件下的表现就像有限使用的玩具。它提供了数据驱动的建议，以指导这些工具的发展成为供应链安全治理的实用、可靠的解决方案。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Computers & Security 工程技术-计算机：信息系统

CiteScore

12.40

自引率

7.10%

发文量

365

审稿时长

10.7 months

期刊介绍： Computers & Security is the most respected technical journal in the IT security field. With its high-profile editorial board and informative regular features and columns, the journal is essential reading for IT security professionals around the world. Computers & Security provides you with a unique blend of leading edge research and sound practical management advice. It is aimed at the professional involved with computer security, audit, control and data integrity in all sectors - industry, commerce and academia. Recognized worldwide as THE primary source of reference for applied research and technical expertise it is your first step to fully secure systems.