Interview › Security & DevSecOps
What is software composition analysis (SCA), and why does it matter for dependencies? [Basic]
Answer
Software composition analysis identifies the third-party libraries, frameworks, transitive dependencies, and licenses in an application. It matters because most modern applications depend heavily on open-source packages, and a vulnerability can enter through a library the team did not write.
Technical explanation
SCA reads package manifests, lock files, build outputs, SBOMs, and sometimes container images.
It maps components to CVEs, license policies, end-of-life versions, and known malicious packages.
Good SCA prioritizes reachable, exploitable, internet-exposed, and business-critical findings rather than treating every CVE equally.
Hands-on example
Hands-on: for a Java service, scan pom.xml and the built image. If log4j-core is found as a transitive dependency, identify the parent dependency with mvn dependency:tree, upgrade or override the version, rebuild, regenerate the SBOM, and rescan before deployment.
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More Security & DevSecOps interview questions
- What is DevSecOps, and how does it differ from traditional security gating at the end? [Basic]
- What does shift-left security mean, and why does it matter? [Basic]
- What is the difference between SAST, DAST, IAST, and SCA? [Basic]
- When in the pipeline does each of SAST, DAST, and SCA run? [Basic]
- What is the difference between SAST and DAST, and what does each catch and miss? [Basic]
- What is SonarQube, and what does it analyse? [Basic]
- Is SonarQube primarily SAST, code quality, or both? [Basic]
- What is a SonarQube quality gate, and how do you use it to fail a build? [Basic]