Implementing Dependency Management Guidelines: Tools and Approaches for Software Composition Analysis
The article reviews the fifteen dependency‑management guidelines, discusses how to apply them in practice, and lists both open‑source and commercial tools—including Google’s Open Source Insights, Snyk, WhiteSource, Fossas, Anchore, OpenSCA, and MurphySec—while also highlighting differing analysis strategies and related research reports.
Two consecutive articles about dependency‑management guidelines were published, sparking a lively discussion in the “Continuous Delivery 2.0” WeChat group.
The original guidelines can be found in the linked articles “Fifteen Guidelines for Good Dependency Management (Part 1)” and “(Part 2)”.
The most frequently asked question is: we have the guidelines, but how can we put them into practice and what tools are available?
After discussion, group members identified several useful tools.
Google has created Open Source Insights , which allows users to view the dependency graphs of open‑source packages.
In addition, there are several commercial solutions such as snyk, whitesource, fossas, and anchore.
Domestic options (unknown) include OpenSCA from XuanJing and murphysec from Murphy.
These tools also fall into different schools of thought. For Maven, one camp (e.g., Snyk, WhiteSource, Fossas, Anchore, GitHub) parses the POM file with languages like TypeScript or Go and focuses on direct dependencies only, ignoring transitive ones. The other camp, exemplified by ORT, uses Java/Kotlin to invoke Maven directly and produces a full dependency‑tree similar to dependency:tree. Both approaches have limitations and cannot satisfy every business need.
For Maven, there are basically two factions. One group (snyk, whitesource, fossas, anchore, github) uses other languages to parse the pom file and cares only about direct dependencies. The other group (ort) implements the analysis in Java/Kotlin, calling Maven to obtain the complete dependency tree. Both solutions have drawbacks and cannot meet all requirements.
Forrester has also published a research report on Software Composition Analysis (SCA).
Original link: https://www.forrester.com/report/the-forrester-wave-tm-software-composition-analysis-q3-2021/RES176091
Beyond dedicated tools, modern IDEs now provide built‑in SCA capabilities.
GitHub also offers some SCA capabilities.
Someone mentioned SonarQube, which suffers from being too all‑encompassing and therefore messy.
Group members even joked about the business of software localization.
哈哈哈~
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Continuous Delivery 2.0
Tech and case studies on organizational management, team management, and engineering efficiency
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.