Software Composition Analysis (SCA) is among the most foundational approaches to application security. Understanding the known vulnerabilities, leading and lagging indicators of risk are among the most widely leveraged security controls in industry. There are three major types of SCA: Runtime SCA, Manifest scanning SCA and Build/Install-time SCA with and without program analysis. Each approach comes with hidden costs and pros and cons along the way. This session will explore not only the hidden costs, pros and cons but explain why they exist. We will round out with effective practices, classes of vulnerabilities that are covered and things to avoid with each approach. Everyone has heard that there is a panacea for managing risk in software composition analysis. You see this in marketing every day. This nirvana is a lie. But there could be a nirvana for you in your context. This talk explores the spectrum of trade offs that exist.