Open-source software supports the key tenets of open RAN, namely openness and interoperability, but comes with its own risks. As most projects will include a complex list of dependencies, an automatic auditing process is necessary to provide a holistic overview of the software components that are used. This is where SCA can be a valuable methodology. SCA tools can detect open-source components, find known vulnerabilities in them and ensure compliance with licensing requirements. This provides a comprehensive view of potential risks which the dependencies can introduce into a project.
Software Composition Analysis is a security practice that focuses on the identification and management of third-party and open-source dependencies used in a software. The O-RAN Alliance itself recommends “to have Software Composition Analysis tooling to automatically scan and identify all open-source components, version(s) in use, all package dependencies, libraries, and create an accurate bill of materials (BOM), checks for policy and license compliance, security risks, protect against threats to intellectual property (IP) and version updates” in their specification "O-RAN Study on Security for Near Real Time RIC and xApps 5.00" .
Tsvetan Kolev’s approach presents a continuous scanning method, developed with the assistance of GitHub Actions, designed to help developers identify and manage risks in the code of the O-RAN software. For this, three publicly available SCA tools grype, snyk, and trivy were used to continuously audit the software and report known vulnerabilities within the code of two open-source Near Real-Time RAN Intelligent Controllers ( Additionally, they validated the methodology through an additional test involving a third Near-RT RIC.