Hi! I'm

Federico Calò

Software Developer | Technical Writer

I create modern web applications and custom digital tools to help businesses grow through technological innovation. My passion is combining computer science and economics to generate real value.

Contact Me

About Me

My passion for computer science was born at the Technical Commercial Institute of Maglie, where I discovered the power of programming and the fascination of creating digital solutions. From the start, I understood that computer science was not just code, but an extraordinary tool for turning ideas into reality.

During my studies in Business Information Systems, I began to interweave computer science and economics, understanding how technology can be the engine of growth for any business. This vision accompanied me to the University of Bari, where I obtained my degree in Computer Science, deepening my technical skills and passion for software development.

Today I put this experience at the service of businesses, professionals and startups, creating tailor-made digital solutions that automate processes, optimize resources and open new business opportunities. Because true innovation begins when technology meets the real needs of people.

My Skills

Data Analysis & Predictive Models

I transform data into strategic insights with in-depth analysis and predictive models for informed decisions

Process Automation

I create custom tools that automate repetitive operations and free up time for value-added activities

Custom Systems

I develop tailor-made software systems, from platform integrations to customized dashboards

const federico = {
  nome: "Federico Calò",
  ruolo: "Sviluppatore Software",
  città: "Bari, Italia",
  missione: "Aiutare attraverso l'informatica",
  passioni: [
    "Codice Pulito",
    "Innovazione",
    "Crescita Continua"
  ]
};

La Mia Missione

Credo fermamente che l'informatica sia lo strumento più potente per trasformare le idee in realtà e migliorare la vita delle persone.

Democratizzare la Tecnologia

La mia missione è rendere l'informatica accessibile a tutti: dalle piccole imprese locali alle startup innovative, fino ai professionisti che vogliono digitalizzare la propria attività. Ogni realtà merita di sfruttare le potenzialità del digitale.

Unire Informatica ed Economia

Non è solo questione di scrivere codice: è capire come la tecnologia possa generare valore reale. Intrecciando competenze informatiche e visione economica, aiuto le attività a crescere, ottimizzare processi e raggiungere nuovi traguardi di efficienza e redditività.

Creare Soluzioni su Misura

Ogni attività è unica, e così devono esserlo le soluzioni. Sviluppo strumenti personalizzati che rispondono alle esigenze specifiche di ciascun cliente, automatizzando processi ripetitivi e liberando tempo per ciò che conta davvero: far crescere il business.

Trasforma la Tua Attività con la Tecnologia

Che tu gestisca un negozio, uno studio professionale o un'azienda, posso aiutarti a sfruttare le potenzialità dell'informatica per lavorare meglio, più velocemente e in modo più intelligente.

Parliamone Insieme →

Join the Community

Join the developer community where we discuss software, AI, architecture and DevOps. Share ideas, ask questions and grow with us.

Channel

FC Dev Blog

Get notifications on new articles, complete series, weekly tips and featured tools. Bilingual IT/EN content directly in your Telegram.

New articles as they are published
Weekly tips and code snippets
Polls on future topics

Subscribe to Channel

Group

FC Dev Community

A bilingual IT/EN community for developers. Discussions, Q&A, mutual help and networking with other professionals.

Discussions on articles and technologies
Coding help and code review
Job opportunities and collaboration

Join the Group

Discussion Topics

View

Master SQL

RoadMap.sh

November 2024

View

Oracle Certified Foundations Associate

Oracle

October 2024

View

People Leadership Credential

Connect

September 2024

💻 Languages & Technologies

Java

Python

JavaScript

Angular

React

TypeScript

SQL

PHP

CSS/SCSS

Node.js

Docker

Git

💼

12/2024 - Present

Custom Software Engineering Analyst

Accenture

Bari, Puglia, Italy · Hybrid Analysis and development of computer systems through the use of Java and Quarkus in Health and Public Sector. Continuous training on modern technologies for creating customized and efficient software solutions and on agents.

💼

06/2022 - 12/2024

Software analyst and Back End Developer Associate Consultant

Links Management and Technology SpA

Experience analyzing as-is software systems and ETL flows using PowerCenter. Completed Spring Boot training for developing modern and scalable backend applications. Backend developer specialized in Spring Boot, with experience in database design, analysis, development and testing of assigned tasks.

💼

02/2021 - 10/2021

Software programmer

Adesso.it (prima era WebScience srl)

Experience in AS-IS and TO-BE analysis, SEO evolutions and website evolutions to improve user performance and engagement.

🎓

2018 - 2025

Degree in Computer Science

University of Bari Aldo Moro

Bachelor's degree in Computer Science, focusing on software engineering, algorithms, and modern development practices.

📚

2013 - 2018

Diploma - Corporate Information Systems

Technical Commercial Institute of Maglie

Technical diploma specializing in Business Information Systems, combining IT knowledge with business management.

Contattami

Hai un progetto in mente? Parliamone! Compila il form qui sotto e ti risponderò al più presto.

* Campi obbligatori. I tuoi dati saranno utilizzati solo per rispondere alla tua richiesta.

SCA: What is Software Composition Analysis

SCA (Software Composition Analysis) is the practice of analyzing a project's open source dependencies to identify known vulnerabilities, licensing issues, and risks in the software supply chain. With over 90% of modern code using open source components, dependency security has become a critical aspect.

Unlike SAST which analyzes team-written code, SCA focuses on imported code: npm libraries, pip packages, Maven dependencies, Ruby gems, and any other third-party components. A single vulnerability in a widely-used library can expose thousands of applications, as demonstrated by the Log4Shell and XZ Utils incidents.

In this article, we will explore the main SCA tools, transitive dependency management, license tracking, and strategies for keeping dependencies up to date.

What You'll Learn

How SCA works and transitive dependency analysis
Configuring Snyk, Dependabot, and OWASP Dependency-Check
Vulnerability databases: NVD, CVE, GitHub Advisory
Open source license management and compliance
Update strategies: automatic vs manual patches
SCA integration in the CI/CD pipeline

The Transitive Dependency Problem

A typical project has dozens of direct dependencies, but each of these brings its own dependencies (transitive). A Node.js project with 50 direct dependencies can have 500-1000 transitive dependencies in node_modules.

Vulnerabilities in transitive dependencies are particularly insidious because developers might not be aware of their existence. SCA analyzes the entire dependency tree, including transitive ones, to ensure complete coverage.

Why SCA is Critical

The Log4Shell incident (CVE-2021-44228) demonstrated the devastating impact of a vulnerability in a widely-used library: over 35,000 Java packages were vulnerable. Many organizations took weeks to identify all affected applications because they didn't have a dependency inventory. SCA prevents this scenario by maintaining an updated inventory and alerting immediately when a new vulnerability is discovered.

Snyk: Developer-Integrated SCA

Snyk is a modern SCA platform that integrates directly into the developer workflow. It offers a free plan for open source projects and an excellent developer experience with IDE, CLI, and CI/CD integration.

Snyk CLI: Terminal Analysis


# Install Snyk CLI
npm install -g snyk

# Authenticate
snyk auth

# Analyze project dependencies
snyk test

# Analyze and monitor (registers in dashboard)
snyk monitor

# Analyze a Dockerfile
snyk container test node:18-alpine

# Analyze IaC code
snyk iac test terraform/

# JSON output for automation
snyk test --json --severity-threshold=high > snyk-results.json

Snyk Integration in GitHub Actions


# .github/workflows/snyk.yml
name: Snyk Security Scan
on:
  push:
    branches: [main]
  pull_request:
    branches: [main]

jobs:
  snyk:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: "20"

      - name: Install dependencies
        run: npm ci

      - name: Snyk Test
        uses: snyk/actions/node@master
        env:
          SNYK_TOKEN: #123;{ secrets.SNYK_TOKEN }}
        with:
          args: --severity-threshold=high --fail-on=all

      - name: Snyk Monitor
        if: github.ref == 'refs/heads/main'
        uses: snyk/actions/node@master
        env:
          SNYK_TOKEN: #123;{ secrets.SNYK_TOKEN }}
        with:
          command: monitor

Dependabot: GitHub's Automatic Updates

Dependabot is GitHub's integrated service that monitors dependencies and automatically creates pull requests to update vulnerable versions. Configuration is simple and done through a YAML file in the repository.


# .github/dependabot.yml
version: 2
updates:
  # npm dependencies
  - package-ecosystem: "npm"
    directory: "/"
    schedule:
      interval: "weekly"
      day: "monday"
      time: "09:00"
      timezone: "Europe/Rome"
    open-pull-requests-limit: 10
    reviewers:
      - "security-team"
    labels:
      - "dependencies"
      - "security"
    ignore:
      - dependency-name: "*"
        update-types: ["version-update:semver-major"]
    groups:
      dev-dependencies:
        dependency-type: "development"
        update-types:
          - "minor"
          - "patch"

  # GitHub Actions
  - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
      interval: "weekly"

  # Docker
  - package-ecosystem: "docker"
    directory: "/"
    schedule:
      interval: "weekly"

OWASP Dependency-Check

OWASP Dependency-Check is an open source SCA tool that identifies project dependencies and checks if they have known vulnerabilities in the National Vulnerability Database (NVD). It supports Java, .NET, Node.js, Python, Ruby, and many other ecosystems.


# .github/workflows/dependency-check.yml
name: OWASP Dependency Check
on:
  push:
    branches: [main]
  schedule:
    - cron: "0 6 * * 1"  # Every Monday at 6:00 AM

jobs:
  dependency-check:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: OWASP Dependency Check
        uses: dependency-check/Dependency-Check_Action@main
        with:
          project: "my-application"
          path: "."
          format: "HTML"
          args: >
            --failOnCVSS 7
            --enableRetired
            --nvdApiKey #123;{ secrets.NVD_API_KEY }}

      - name: Upload Report
        if: always()
        uses: actions/upload-artifact@v4
        with:
          name: dependency-check-report
          path: reports/

Vulnerability Databases

SCA tools rely on known vulnerability databases to identify problematic dependencies. The main databases are:

      Main Vulnerability Databases
      
          Database
          Maintainer
          Coverage
        
          NVD (National Vulnerability Database)
          NIST (US Gov)
          All platforms, 24-48h updates
        
          GitHub Advisory Database
          GitHub
          npm, pip, Maven, RubyGems, NuGet, Go
        
          OSV (Open Source Vulnerability)
          Google
          Multi-ecosystem, open format
        
          Snyk Vulnerability DB
          Snyk
          Manually curated, high quality

Open Source License Management

Beyond vulnerabilities, SCA analyzes dependency licenses to ensure legal compliance. Some open source licenses (like GPL and AGPL) have copyleft requirements that can have significant implications for commercial software.

Permissive (MIT, Apache 2.0, BSD): free use, few restrictions
Weak Copyleft (LGPL, MPL): modifications to the library must be released under the same license
Strong Copyleft (GPL, AGPL): all derived software must be released under the same license
Proprietary/Non-standard: require case-by-case legal review

Recommended License Policy

Approved: MIT, Apache 2.0, BSD 2/3-Clause, ISC
Review required: LGPL, MPL, CC-BY
Blocked: GPL, AGPL, SSPL (for proprietary software)
Unknown: require legal review before use

Dependency Update Strategies

Keeping dependencies updated is an ongoing challenge. Here are the strategies we recommend:

1. Automatic Patches for Critical Vulnerabilities

Configure Dependabot or Renovate to automatically create PRs for security updates. Security patches (minor/patch versions) can be auto-merged if tests pass, reducing exposure time.

2. Grouped Weekly Updates

Group non-critical updates into a single weekly PR to reduce noise and facilitate review. Dependabot supports groups natively.

3. Major Versions with Planning

Major version updates (breaking changes) must be planned and manually tested. Ignore automatic major updates and dedicate specific sprint time.

4. Lock Files and Reproducibility

Always use lock files (package-lock.json, yarn.lock, Pipfile.lock) to ensure reproducible builds and use npm ci instead of npm install in CI.

SCA in the Pipeline: Complete Workflow


# .github/workflows/sca-complete.yml
name: SCA Complete Workflow
on:
  push:
    branches: [main]
  pull_request:

jobs:
  vulnerability-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: "20"

      - name: Install dependencies
        run: npm ci

      - name: npm audit
        run: npm audit --audit-level=high

      - name: Snyk vulnerability scan
        uses: snyk/actions/node@master
        env:
          SNYK_TOKEN: #123;{ secrets.SNYK_TOKEN }}
        with:
          args: --severity-threshold=high

  license-check:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Install dependencies
        run: npm ci

      - name: License check
        run: npx license-checker --failOn "GPL-2.0;GPL-3.0;AGPL-3.0"

SCA Best Practices

Scan on every build: every pipeline should include an SCA check, not just nightly builds
Continuous monitoring: register projects in Snyk/Dependabot to receive alerts when new CVEs are discovered
License policies: define and automate acceptable license policies
Minimal dependencies: critically evaluate every new dependency. Fewer dependencies means less attack surface
Version pinning: use exact versions in lock files, not ranges
Regular audits: quarterly dependency review to remove unused ones

Conclusions

SCA is a fundamental pillar of DevSecOps, particularly critical in the era of open source software. The combination of vulnerability scanning, license compliance, and automated updates protects the project from threats in the software supply chain.

In the next article, we'll explore Container Security, analyzing how to protect Docker images, implement image scanning with Trivy and Grype, and configure runtime protection for production containers.

Database	Maintainer	Coverage
NVD (National Vulnerability Database)	NIST (US Gov)	All platforms, 24-48h updates
GitHub Advisory Database	GitHub	npm, pip, Maven, RubyGems, NuGet, Go
OSV (Open Source Vulnerability)	Google	Multi-ecosystem, open format
Snyk Vulnerability DB	Snyk	Manually curated, high quality