Source Code Control Ltd

Software Composition Analysis - Software Bill of Materials

Analyse the software you have created - looking for security vulnerabilities, licensing problems, copyright issues and poor code management. Provides a Bill of Materials highlighting problems. This service supports requirements in the PCI Secure Software Standard.


  • Create a Bill of Materials for your software
  • Identify known security vulnerabilities
  • Identify licensing issues including copyleft
  • Understand application depndencies
  • Ongoing notification of new vulnerabilities


  • Understand components used - their security and licensing issues
  • Ensure your software is correctly copyrighted - protecting your IP
  • Streamline your software by identifying code management problems
  • Meet PCI secure software standard requirements


£4500 to £10000 per unit

  • Free trial available

Service documents


G-Cloud 11

Service ID

7 6 1 4 7 2 7 2 7 8 2 3 6 8 0


Source Code Control Ltd

Paul McAdam

+44 118 328 2962

Service scope

Service scope
Software add-on or extension Yes
What software services is the service an extension to Flexera Code Insight
Cloud deployment model Public cloud
Service constraints The service provides a public cloud based implementation of Flexera Code Insight for Software Composition Analysis. Direct access to the tool will require the purchase and implementation of a specific license.
System requirements
  • Modern browser for user interface
  • All other requirements are part of server build

User support

User support
Email or online ticketing support Email or online ticketing
Support response times During a project, the customer has an assigned licensing technician who will lead the project. All issues raised over email would be addressed by the customer's contact or a named substitute.
User can manage status and priority of support tickets No
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support No
Onsite support Yes, at extra cost
Support levels We have a single support level which is a named contact throughout the life of a project. All project issues would be raised with them and answered within a business day. If they are unavailable, a named substitute would be available.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started We follow a similar process each time...
1- Kick off call / requirements and expectations setting
2- Online training / workshop
3- Scan and preliminary report
4- Report discussion with developers / project team
5- Final report
6- Ongoing support and alert
Service documentation Yes
Documentation formats PDF
End-of-contract data extraction The user can receive the following:
- Report - PDF
- Supporting data - .XLS
- Bill of Materials for the Software - PDF or HTML
- Notices.txt file - TXT
End-of-contract process The customer exits the contract with an time-stamped, independent, expert report. Also the data, Bill of Materials and Notices.txt file (if requested).
Additional costed items:
1- 2nd report once issues are fixed
2- Ongoing monitoring of the software for new vulnerabilities
3- Private instance.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install No
Designed for use on mobile devices No
Service interface No
What users can and can't do using the API The API allows the connection of Software Development Lifecycle tools e.g. Jenkins, WSTS, Maven to the composition analysis part.
API documentation Yes
API documentation formats Other
API sandbox or test environment Yes
Customisation available Yes
Description of customisation Customers can apply their own policies (excluded licenses and components) and add their own workflows.


Independence of resources The cloud based service is well used, but not concurrently.

We have 2 different service levels:
1- Reports based on a shared cloud service - this could be affected by heavy concurrent use, but the work is carried out by local operatives on the customer's behalf.
2- Private instance - which is a dedicated platform based in the public cloud and would not be subject to demand based performance.


Service usage metrics No


Supplier type Reseller providing extra features and support
Organisation whose services are being resold Flexera

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance Up to Security Clearance (SC)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
User control over data storage and processing locations Yes
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency Never
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Other
Other data at rest protection approach The data is held on Microsoft Azure
Data sanitisation process Yes
Data sanitisation type Deleted data can’t be directly accessed
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data importing and exporting
Data export approach All of the data is provided to the customer via a pre-arranged secure process e.g. email; secure folder; SFTP
Data export formats Other
Other data export formats PDF, XLSX, HTML and TXT combination
Data import formats Other
Other data import formats .ZIP for the source code

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks Other
Other protection between networks These are separate systems with dedicated security, roles and permissions.
Data protection within supplier network TLS (version 1.2 or above)

Availability and resilience

Availability and resilience
Guaranteed availability The service is available during business hours UK time.

For notifications of new vulnerabilities, users are alerted within 24 hours of the alert being received.
Approach to resilience The system is completely stored on Microsoft Azure public cloud.
Outage reporting We would provide an email alert to active users with an estimated resolution time and regular updates.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • Public key authentication (including by TLS client certificate)
  • Username or password
Access restrictions in management interfaces and support channels Access to each level of the system stack is on an "as needed" basis.

Where necessary, system account passwords are known by just two members of staff with appropriate level of clearance.
Access restriction testing frequency At least every 6 months
Management access authentication
  • Username or password
  • Other
Description of management access authentication The site is secured with SSL

Audit information for users

Audit information for users
Access to user activity audit information No audit information available
Access to supplier activity audit information No audit information available
How long system logs are stored for Between 6 months and 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification No
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications Yes
Any other security certifications OpenChain

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified No
Security governance approach Are security infrastructure is all based on Microsoft Azure physical and logical security.
We implement the best available OS level and application level security settings e.g. highest level of password enforcement; unique complex passwords to each level
Information security policies and processes We are registered with the ICO as a data processor.

We have a Information Assurance Policy which all new hires are required to read, understand and sign. We also include data handling in our Standards of Business Conduct.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach We manage a service for a customer at SC level and apply the same standards to all of our configurations.

Our implementation staff are trained in ITIL and follow the ITIL approach to change management.
Vulnerability management type Supplier-defined controls
Vulnerability management approach Our business is based on helping people understand vulnerabilities, so we are by definition very attentive to vulnerability management.

Patches for the OS is applied either immediately for high priority items or for lower priority, they are assessed and applied weekly.

The FNCI system is updated quarterly.

The system has a clear, well understood stack, so patch management is easy to undertake.
Protective monitoring type Supplier-defined controls
Protective monitoring approach The server is continually monitored for failure and intrusion.
Incident management type Supplier-defined controls
Incident management approach Users can report incidents to their named project manager or through Salesforce.

Outages alerts are sent to all users and an alternative platform is available for urgent projects.

Incident reports are available on request.

Secure development

Secure development
Approach to secure software development best practice Conforms to a recognised standard, but self-assessed

Public sector networks

Public sector networks
Connection to public sector networks No


Price £4500 to £10000 per unit
Discount for educational organisations No
Free trial available Yes
Description of free trial We provide a "smoke test" whereby the customer provides a copy of their source code and we create a 1 page report for them using the Flexera Code Insight system.

Service documents

Return to top ↑