Abstract: Modern software development heavily relies on third-party dependencies across diverse ecosystems, presenting significant challenges in maintaining security, legal compliance, and transparency. Software composition analysis (SCA) tools have become essential in addressing these concerns, but many struggle to support the growing number of programming languages and package managers. This thesis focuses on extending an existing software named SCA Tool to support additional dependency ecosystems, particularly Java (Maven/Gradle) and Python (pip, Poetry, Pipenv, uv). A modular architecture was implemented to enable ecosystem-specific analyzers and scanning capabilities. The system integrates established tools such as OSS Review Toolkit (ORT) and ScanCode while compensating for their limitations through custom extraction logic. Evaluation was conducted using a repository of representative multi-language projects to assess detection accuracy and performance. The results demonstrate that hybrid analysis strategies significantly improve dependency detection across inconsistent ecosystems. This work contributes to the field of SCA by providing practical insights into overcoming technical obstacles in multi-ecosystem software environments.
Keywords: SCA Tool, Software Composition Analysis (SCA), Dependency Detection, Software Bill of Materials (SBOM)
PDF: Bachelor Thesis
Reference: Louis Dümler. Support of New Dependency Ecosystems in SCA Tool. Bachelor Thesis. Friedrich-Alexander-Universität Erlangen-Nürnberg: 2025.
Discover more from Professorship for Open-Source Software
Subscribe to get the latest posts sent to your email.