Abstract: Open Source Software (OSS) is widely adopted, but introduces security and license compliance risks that must be managed. Software Composition Analysis (SCA) tools address these challenges by identifying dependencies, generating Software Bill of Materials (SBOM), and detecting vulnerabilities. Although SCA Tool already supported ecosystems such as npm, it lacked support for C-based (e.g., C, C++) projects, which are central to many critical domains. This thesis extends SCA Tool with integration for the vcpkg package manager. Four new components were implemented: the VcpkgExtractor for parsing manifests, the VcpkgCommand for interacting with the Command-Line Interface (CLI) and the VcpkgResolver for metadata enrichment. Core services were updated to incorporate these seamlessly. The evaluation shows that the integration successfully extracts and enriches the declared and transitive dependencies, producing SBOMs consistent with the tool data model. Although limited to the official registry, this work provides a foundation for broader ecosystem support.
Keywords: SBOM, SCA Tool
PDF: Bachelor Thesis
Reference: Junzhe Wang. Evaluation and Improvement of C based dependency ecosystems in SCA Tool. Bachelor Thesis. Friedrich-Alexander-Universität Erlangen-Nürnberg: 2025.
Discover more from Professorship for Open-Source Software
Subscribe to get the latest posts sent to your email.