Learn about Software Composition Analysis (SCA) tools and approaches for securing the Java software supply chain in this 24-minute conference talk. Explore the critical importance of managing third-party package dependencies in Java projects, particularly in light of major security incidents like SolarWinds and Log4Shell. Compare two distinct approaches to vulnerability detection: the code-centric method used by Eclipse Steady and the metadata-based approach of OWASP Dependency-Check. Examine real-world applications of both tools across various Java projects, understanding their respective strengths and limitations. Discover how a proposed hybrid approach could combine the best aspects of both methods to enhance vulnerability detection precision and efficiency. Gain practical insights into implementing these free, open-source tools in your own projects, with only basic software development knowledge required.