Current Software Composition Analysis (SCA) heavily relies on static feature databases, resulting in poor detection coverage for obscure or emerging third-party libraries (TPLs), particularly in Android native libraries and C/C++ copy-based reuse scenarios. Method: This paper proposes the first database-less SCA (DB-Less SCA) framework, which eliminates prebuilt databases and instead leverages large language models (LLMs) to dynamically retrieve, compare, and validate cross-source semantic evidence from the open web—enabling multi-language (Java/Kotlin/C/C++) binary and source-code feature correlation. Contribution/Results: It is the first work to employ LLMs to emulate security analysts’ cross-source library identification; establishes a novel DB-Less SCA paradigm; and significantly improves robustness and coverage for TPLs absent from mainstream databases. Experimental evaluation demonstrates its feasibility and practicality in dynamic open-source ecosystems.

The prevalent use of third-party libraries (TPLs) in modern software development introduces significant security and compliance risks, necessitating the implementation of Software Composition Analysis (SCA) to manage these threats. However, the accuracy of SCA tools heavily relies on the quality of the integrated feature database to cross-reference with user projects. While under the circumstance of the exponentially growing of open-source ecosystems and the integration of large models into software development, it becomes even more challenging to maintain a comprehensive feature database for potential TPLs. To this end, after referring to the evolution of LLM applications in terms of external data interactions, we propose the first framework of DB-Less SCA, to get rid of the traditional heavy database and embrace the flexibility of LLMs to mimic the manual analysis of security analysts to retrieve identical evidence and confirm the identity of TPLs by supportive information from the open Internet. Our experiments on two typical scenarios, native library identification for Android and copy-based TPL reuse for C/C++, especially on artifacts that are not that underappreciated, have demonstrated the favorable future for implementing database-less strategies in SCA.