Fortify SCA lineage with deep license intelligence
Carries the Fortify SCA engine and the license-intelligence catalog Fortify built over 15+ years. Programs needing rigorous license-compliance posture pick the lineage with depth.
OpenText • Application security
OpenText Core Software Composition Analysis
OpenText Core Software Composition Analysis carries the Fortify SCA lineage as a SaaS service, scanning OSS dependencies for vulnerabilities and license risk across heterogeneous codebases, with cross-correlation back to Fortify SAST and Aviator AI augmentation.
Through Merito, OpenText Core SCA gets tuned against the customer's actual dependency-tree shape, license-policy is designed per application rather than blanket, and the triage operating model is wired so SCA findings join the SAST and DAST queue inside Core Application Security as one backlog rather than three.
- Best for
- AppSec leaders running SCA programs across heterogeneous dependency trees, AppSec architects defining license policy and suppression discipline, Engineering leaders integrating SCA into PR-time gates
- Hosting
- SaaS
- Time to value
- First repository onboarded and scanning in days. PR-time gates and license-policy tuning live in two to four weeks. Enterprise rollout across portfolio typically runs three to six months.
- Security posture
- GDPR, HIPAA-aligned design, SAML SSO
- Last reviewed
- 2026-04-26
What it is
OpenText Core Software Composition Analysis in the enterprise stack
OpenText Core Software Composition Analysis is the SaaS SCA product carrying the Fortify Software Composition Analysis lineage. It scans open-source dependencies in package manifests across npm, PyPI, Maven Central, NuGet, Go modules, Cargo, Gem, Composer, RubyGems, and more, surfaces vulnerabilities and license risk across the dependency tree, and feeds findings into Core Application Security alongside SAST and DAST. Programs running standalone Fortify SCA on-premises modernize onto Core SCA in SaaS as part of the Core Application Security move.
License compliance is half of SCA's value. Programs that ship code with copyleft licenses (GPL, AGPL) into proprietary products create legal exposure. Core SCA evaluates every dependency against a configurable license policy and flags forbidden licenses before they reach production. License policy is per-application or per-business-unit so internal-only tooling does not get audited like a customer-facing SaaS product. Fortify's license-intelligence depth is one of the historical strengths of the line.
Cross-correlation with SAST is the platform advantage. SCA findings cross-link to Fortify SAST flow paths so AppSec sees both the dependency CVE and the application-code path that calls into the vulnerable library. Aviator AI augmentation extends across SCA, SAST, and DAST findings together, proposing dependency-upgrade paths and reachability-aware triage. Programs running Core SCA standalone get the SCA capability; programs running it inside Core Application Security get the unified backlog math.
What stalls SCA adoption is alert fatigue. Programs that take vendor-default policies, ignore per-application license tuning, and route every CVE finding to the developer queue burn out the engineering organization and the AppSec team simultaneously. Merito's engagement starts with license-policy tuning, suppression workflow with audit trail, and developer-time integration that surfaces findings during PR review rather than as a separate dashboard. Without that, SCA generates more noise than it removes.
Ideal use cases
- SaaS SCA on heterogeneous codebases inside Core Application Security
- License compliance enforcement (GPL, AGPL, copyleft policy gates)
- PR-time SCA gates inside the customer's CI fabric
- SBOM generation for SBOM-required regulated programs
- SCA consolidation off Black Duck or Sonatype Lifecycle onto OpenText
What it is best at
Where OpenText Core Software Composition Analysis earns its seat
Ecosystem coverage
npm, PyPI, Maven Central, NuGet, Go modules, Cargo, Gem, Composer, RubyGems, and more in one engine. Programs stop stitching together specialist tools per ecosystem.
Per-application license policy
Different license rules for internal tooling versus customer-facing SaaS. Programs avoid blanket copyleft bans that block legitimate internal use of GPL libraries.
Cross-correlation with SAST and DAST
SCA findings link back to the Fortify SAST flow path that calls the dependency and the DAST runtime confirmation. Triage runs once, not three times.
SBOM generation in CycloneDX and SPDX
Generates SBOMs in industry-standard formats for regulated programs that require SBOM-as-evidence under EO 14028 or sector-specific mandates.
Core capabilities
OpenText Core Software Composition Analysis capabilities, grouped by outcome
Dependency analysis
Where SCA does the work against heterogeneous dependency trees.
Direct and transitive dependency scanning
Resolves the full dependency graph and surfaces vulnerabilities across direct and transitive dependencies.
Ecosystem coverage
npm, PyPI, Maven Central, NuGet, Go modules, Cargo, Gem, Composer, RubyGems, and more.
Source correlation with SAST
Cross-references SCA findings against Fortify SAST flow paths to surface the application code calling into vulnerable libraries.
Aviator AI augmentation
AI-augmented triage that proposes dependency-upgrade paths and reachability-aware suppression suggestions.
License compliance
Avoiding legal exposure on copyleft and forbidden licenses without blanket bans.
Deep license intelligence catalog
Fortify's license-intelligence catalog covers obligations, attribution requirements, source-disclosure rules, and license compatibility across the dependency graph.
Per-application license policy
Different license rules for internal tooling versus customer-facing SaaS. Avoids blanket copyleft bans.
Forbidden-license gates
Block-on-introduce policy stops new copyleft dependencies from entering the build while triage works the legacy backlog.
SBOM and reporting
Audit-ready evidence for regulated and federal programs.
CycloneDX and SPDX SBOM generation
SBOM output in industry-standard formats for compliance with EO 14028, NIST SSDF, and sector-specific mandates.
Cross-product correlation
SCA findings cross-link to SAST, DAST, and Aviator triage inside Core Application Security.
Compliance reporting
Audit-ready evidence for SOC 2, FedRAMP, HIPAA, PCI DSS, and ISO 27001 attestations.
Where it fits in the stack
How OpenText Core Software Composition Analysis connects to the rest of your landscape
OpenText AppSec line (native)
Native- OpenText Core Application SecurityCore SCA inside the SaaS-unified Core Application Security platform with shared findings management.
- OpenText Static Application Security TestingSCA findings cross-link to SAST flow paths for unified source-and-dependency view.
- OpenText Dynamic Application Security TestingDAST runtime exercise informs SCA reachability scoring on dependencies actually called.
- OpenText Application Security AviatorAI-augmented triage that proposes dependency-upgrade paths and reachability-aware suppression.
- OpenText Core Open Source SelectSourcing-time OSS curation feeds into Core SCA detection for layered governance.
CI/CD and developer tooling (certified)
Certified- Jenkins, GitHub Actions, GitLab CI, Azure DevOps, Bitbucket PipelinesPR-time and build-gate scanning with native plugins.
- VS Code, IntelliJ, EclipseIDE plugins surface SCA findings during authoring.
- Artifactory, Nexus Repository, ProGetRepository-level dependency analysis at the artifact-store boundary.
- Jira, Azure Boards, ServiceNowFindings flow into ticketing as work items.
Custom integrations
Custom- Internal CI/CD platformsREST and webhook integration for non-standard pipelines.
- GRC and license-management platformsLicense policy and SBOM data flowed into internal GRC and OSS-license-management systems.
- Federal compliance reportingFedRAMP-aligned SBOM exports and federal-specific compliance evidence.
Deployment and implementation
How it rolls out
- Hosting
- SaaS (North America, EMEA, APJ)
- Implementation complexity
- Moderate
- Typical time to value
- First repository onboarded and scanning in days. PR-time gates and license-policy tuning live in two to four weeks. Enterprise rollout across portfolio typically runs three to six months.
- Prerequisites
- Repository inventory and scanning priority list
- CI/CD platform decision (Jenkins, GitHub Actions, GitLab CI, Azure DevOps, Bitbucket)
- Named AppSec policy owner
- License-policy framework drafted or in progress
- Triage and findings-routing operating model
- What Merito usually handles
- Core SCA runs as SaaS inside Core Application Security or as a standalone subscription. Merito handles tenant setup, license-policy tuning, CI/CD integration, SBOM-generation wiring, and the operating-model design that decides who owns SCA triage.
Licensing and packaging
How it is bought
- Model
- Subscription
- What to expect
- OpenText Core Software Composition Analysis is SaaS-licensed by application count, repository count, and scan volume. Available standalone or as part of Core Application Security. Pricing depends on license-intelligence scope, Aviator seats, and edition. License acquisition runs through Merito; the SCA program is scoped under a separate engagement.
- Editions and modules
Standalone Core Software Composition Analysis
Standalone SaaS SCA for programs not running the full Core Application Security bundle.
Best for: Programs adding SaaS SCA to an existing AppSec footprint.
Inside Core Application Security
Core SCA as part of the SaaS-unified SAST + DAST + Core SCA bundle.
Best for: Programs running unified AppSec.
- Common expansion areas
- Add Core Application Security to unify SCA with SAST and DAST
- Add Core Open Source Select for sourcing-time OSS curation
- Add Application Security Aviator for AI-augmented SCA triage
- Layer OpenText Application Quality Management for traceability
Merito services
How Merito helps you win with OpenText Core Software Composition Analysis
Merito sells licenses and the delivery work around them. Pick the service that matches where you are in the lifecycle.
01
Core SCA Implementation
Tenant setup, license-policy tuning, CI/CD integration, SBOM-generation wiring.
Explore service02Upgrade and Migration
Fortify SCA on-prem to Core SCA SaaS modernization.
Explore service03MAPS Assessment
AppSec program scoping for Core SCA adoption alongside Checkmarx SCA, Snyk SCA, Black Duck, and Sonatype Lifecycle.
Explore service04DevOps Consulting
PR-time SCA gates and build-gate policy in Jenkins, GitHub Actions, GitLab CI, Azure DevOps, and Bitbucket.
Explore service05CRAFT Enablement
Developer enablement and AppSec champion programs around SCA findings and license discipline.
Explore service06Premium Support
Named engineer, priority SLAs, and release-time coverage for Core SCA.
Explore service07Managed Services
Long-term run support including license-policy maintenance, SBOM-generation operations, and triage operating-model evolution.
Explore service08Training and Enablement
Role-based training for AppSec architects, security engineers, and developers consuming SCA output.
Explore service09Staff Augmentation
Merito-placed AppSec engineers and OpenText specialists embedded on long-running programs.
Explore serviceOpenText Core SCA licensing
License the SCA. Design the per-application license policy. Same engagement.
Core SCA pricing arrives with license-policy design, suppression workflow, CI/CD integration, and SBOM-generation wiring that put Fortify's 15+ years of license intelligence to work rather than letting it sit unused.
Merito point of view
Fortify's license intelligence is the deep half of SCA. Use it.
Merito has audited SCA programs that ran rigorous CVE scanning and ignored license posture, then discovered they had been shipping AGPL libraries inside proprietary SaaS for two years. The license catalog Fortify built over 15+ years is one of the deeper assets in the OpenText AppSec line, and programs that adopt Core SCA without using it are leaving half the value on the table. Per-application license policy is the right shape: customer-facing SaaS gates strict, internal tooling gates loose, and the program does not block legitimate copyleft use.
Merito recommends OpenText Core SCA specifically when programs are consolidating onto Core Application Security or already running OpenText AppSec, when license-compliance posture matters, and when SBOM-as-evidence under EO 14028 or sector mandates is in scope. For programs already running mature Checkmarx SCA pipelines with EPA reachability turned on, replacing them with Core SCA is a 12-month project that often does not deliver enough delta. For programs running Snyk SCA on developer experience, the migration tradeoff goes the other way.
Cross-correlation with SAST is the platform claim that pays back inside Core Application Security. Programs running Core SCA standalone get the SCA capability; programs running it inside Core Application Security with Aviator augmentation get the unified backlog math.
What buyers usually underestimate
- Adopting Core SCA without using the license-intelligence depth, leaving half the program value on the table.
- Applying blanket copyleft bans across the portfolio instead of per-application license policy.
- Routing SCA findings to a developer queue without PR-time integration, so findings sit in a dashboard nobody reads.
- Skipping SBOM generation when the program is subject to EO 14028 or sector-specific SBOM mandates.
- Migrating off mature Checkmarx SCA or Snyk SCA pipelines without an honest assessment of delta value.
Related from Merito
Continue exploring OpenText Core Software Composition Analysis on Merito
Related solutions
Related services
Related products
- OpenText Core Application SecuritySaaS-unified bundle that includes SAST, DAST, and Core SCA.
- OpenText Static Application Security TestingStatic analysis companion that EPA-style cross-correlation maps to.
- OpenText Core Open Source SelectSourcing-time OSS curation that feeds into Core SCA.
- OpenText Application Security AviatorAI-augmented triage including dependency-upgrade path suggestions.
- OpenText Cybersecurity (vendor portfolio)Full OpenText Cybersecurity catalog across AppSec, IAM, SecOps, Data Security, and DFIR.
Frequently Asked Questions
OpenText Core Software Composition Analysis FAQs
Consultation request
Talk to Merito about OpenText Core Software Composition Analysis
Share your dependency-tree shape, current SCA tool if any, and license-compliance posture. A Merito OpenText specialist follows up within one business day.
Fortify lineage
Deep license intelligence
15+ years of license-catalog depth. Programs needing rigorous license-compliance posture pick the lineage with depth.
Cross-correlation
SCA + SAST + DAST in one ticket
SCA findings cross-link to SAST flow paths and DAST runtime confirmations inside Core Application Security.
Next step
Use the license-intelligence depth, not just the CVE count.
A Merito Core SCA engagement starts with license-policy design and SBOM wiring. Programs that adopt SCA without per-application license policy leave half the value on the table.