Software Composition Analysis (SCA) tools perform source-code analysis, comparison and identification of Open Source components. Sadly, none of the SCA vendors have embraced Open Source themselves, most of their tooling consists of proprietary code and their OSS Knowledge Bases are also closed.
Most SCA vendors target large organizations, are expensive, and generally not economically viable for smaller companies who might be a critical part of larger software distribution chains. Smaller companies for these reasons can’t get access to proper SCA tooling, and large organizations will have to carry the expense of auditing their suppliers.
Leading to a higher cost of OSS governance, no ability to compare results, exclusion of the OSS community behind a license-fee and a reliance on external auditing. With this proposal we aim to contribute a free, standardized and 100% open alternative.