Scenario 20: Dependency Analysis¶
Security engineer or DevOps lead analyzing project dependencies for vulnerabilities, outdated packages, and license compliance.
Table of Contents¶
- Quick Start
- Overview
- Supported Package Managers
- Analysis Features
- CLI Commands
- TUI Commands
- Example Questions
- Related Scenarios
Quick Start¶
/select 20
Overview¶
Scenario 20 provides comprehensive dependency analysis across multiple programming languages and package managers. It scans projects for dependency files, builds dependency graphs, checks for vulnerabilities, and validates license compliance.
Project Scan → Dependency Graph → Analysis → Report
↓
┌──────────┬──────────┬──────────┐
↓ ↓ ↓ ↓
Vulnerabilities Outdated Licenses SBOM
Supported Package Managers¶
| Language | Files Detected | Package Manager |
|---|---|---|
| Python | requirements.txt, Pipfile, pyproject.toml, setup.py |
pip, pipenv, poetry |
| JavaScript | package.json, yarn.lock, pnpm-lock.yaml |
npm, yarn, pnpm |
| Go | go.mod, go.sum |
go modules |
| Ruby | Gemfile, Gemfile.lock |
bundler |
| Java | pom.xml, build.gradle |
maven, gradle |
| Rust | Cargo.toml, Cargo.lock |
cargo |
| PHP | composer.json, composer.lock |
composer |
Analysis Features¶
Dependency Graph Building¶
Scan a project and build the dependency tree:
> Scan project dependencies in .
╭─────────────── Dependency Analysis Results ───────────────╮
│ │
│ Overview: │
│ - Total dependencies: 127 │
│ - Direct dependencies: 23 │
│ - Dev dependencies: 45 │
│ - Files analyzed: 3 │
│ │
│ Dependencies: │
│ - `fastapi` @ 0.104.1 │
│ - `pydantic` @ 2.5.2 │
│ - `sqlalchemy` @ 2.0.23 │
│ - `uvicorn` @ 0.24.0 │
│ - `httpx` @ 0.25.2 │
│ - `pytest` @ 7.4.3 │
│ - `black` @ 23.11.0 │
│ - `ruff` @ 0.1.6 │
│ - `mypy` @ 1.7.1 │
│ - `rich` @ 13.7.0 │
│ │
│ ... and 117 more dependencies │
│ │
╰────────────────────────────────────────────────────────────╯
Vulnerability Checking¶
Check dependencies against vulnerability databases:
> Check dependencies for vulnerabilities
╭─────────────── Vulnerability Check ───────────────────────╮
│ │
│ Overview: │
│ - Total dependencies: 127 │
│ - Direct dependencies: 23 │
│ - Dev dependencies: 45 │
│ - Files analyzed: 3 │
│ │
│ Vulnerabilities: │
│ │
│ - 🔴 **CVE-2024-12345**: requests │
│ Remote Code Execution in HTTP redirect handling │
│ *Fixed in: 2.32.0* │
│ │
│ - 🟠 **CVE-2024-23456**: pillow │
│ Buffer overflow in image processing │
│ *Fixed in: 10.2.0* │
│ │
│ - 🟡 **CVE-2024-34567**: cryptography │
│ Timing side-channel in RSA decryption │
│ *Fixed in: 41.0.7* │
│ │
╰────────────────────────────────────────────────────────────╯
Vulnerability Sources¶
| Source | Description |
|---|---|
| OSV | Open Source Vulnerabilities database |
| GitHub Advisory | GitHub Security Advisories |
| NVD | National Vulnerability Database |
| PyPI Advisory | Python-specific advisories |
| npm Audit | Node.js-specific advisories |
Severity Levels¶
| Emoji | Severity | CVSS Score |
|---|---|---|
| 🔴 | Critical | 9.0-10.0 |
| 🟠 | High | 7.0-8.9 |
| 🟡 | Medium | 4.0-6.9 |
| 🟢 | Low | 0.1-3.9 |
Outdated Package Detection¶
Find packages with available updates:
> Check for outdated dependencies
╭─────────────── Outdated Packages ─────────────────────────╮
│ │
│ Outdated Packages: │
│ │
│ - `fastapi`: 0.104.1 → 0.109.0 │
│ - `pydantic`: 2.5.2 → 2.6.1 │
│ - `sqlalchemy`: 2.0.23 → 2.0.25 │
│ - `uvicorn`: 0.24.0 → 0.27.0 │
│ - `pytest`: 7.4.3 → 8.0.0 │
│ │
│ ... and 12 more outdated packages │
│ │
╰────────────────────────────────────────────────────────────╯
License Compliance¶
Check licenses for compatibility issues:
> Check dependency licenses
╭─────────────── License Analysis ──────────────────────────╮
│ │
│ License Summary: │
│ - MIT: 78 packages │
│ - Apache-2.0: 32 packages │
│ - BSD-3-Clause: 12 packages │
│ - GPL-3.0: 3 packages │
│ - Unknown: 2 packages │
│ │
│ License Issues: │
│ │
│ - `some-gpl-lib`: GPL-3.0 may conflict with MIT project │
│ - `mystery-pkg`: License not specified │
│ - `old-lib`: License file not found │
│ │
╰────────────────────────────────────────────────────────────╯
SBOM Generation¶
Generate Software Bill of Materials:
> Generate SBOM for the project
╭─────────────── SBOM Generated ────────────────────────────╮
│ │
│ Format: CycloneDX 1.4 │
│ Output: sbom.json │
│ │
│ Components: 127 │
│ - Libraries: 125 │
│ - Frameworks: 2 │
│ │
│ Metadata: │
│ - Generated: 2024-12-09T14:35:21Z │
│ - Tool: CodeGraph v1.0 │
│ - Project: codegraph │
│ │
╰────────────────────────────────────────────────────────────╯
CLI Commands¶
Scanning Dependencies¶
# Scan current project
codegraph deps scan
# Scan specific path
codegraph deps scan --project /path/to/project
# Include dev dependencies
codegraph deps scan --include-dev
# Output as JSON
codegraph deps scan --output deps.json
Vulnerability Auditing¶
# Check for vulnerabilities
codegraph deps audit
# Check specific severity
codegraph deps audit --severity critical,high
# Exit with error on vulnerabilities (for CI)
codegraph deps audit --fail-on high
# Output detailed report
codegraph deps audit --report vuln-report.json
Outdated Packages¶
# Check for outdated packages
codegraph deps outdated
# Show only direct dependencies
codegraph deps outdated --direct-only
# Show available updates
codegraph deps outdated --show-updates
License Checking¶
# Check licenses
codegraph deps licenses
# Check against allowed list
codegraph deps licenses --allowed MIT,Apache-2.0,BSD-3-Clause
# Fail on disallowed licenses
codegraph deps licenses --fail-on GPL-3.0
SBOM Generation¶
# Generate CycloneDX SBOM
codegraph deps sbom --format cyclonedx --output sbom.json
# Generate SPDX SBOM
codegraph deps sbom --format spdx --output sbom.spdx
# Include vulnerabilities in SBOM
codegraph deps sbom --include-vulnerabilities
Dependency Graph¶
# Show dependency tree
codegraph deps tree
# Show why a package is installed
codegraph deps why requests
# Export graph as DOT format
codegraph deps graph --format dot --output deps.dot
TUI Commands¶
| Command | Description |
|---|---|
/dependencies scan |
Scan for dependencies |
/dependencies audit |
Check vulnerabilities |
/dependencies outdated |
Find outdated packages |
/dependencies licenses |
Check license compliance |
/dependencies sbom |
Generate SBOM |
/dependencies tree |
Show dependency tree |
/dependencies why <pkg> |
Show why package is installed |
Example Questions¶
- “Scan project for dependencies”
- “Check for vulnerable packages”
- “Are there any outdated dependencies?”
- “Show me the dependency tree”
- “Why is requests installed?”
- “Generate SBOM for the project”
- “Check if all licenses are MIT compatible”
- “Find packages with critical vulnerabilities”
Configuration¶
Configure dependency analysis in config.yaml:
scenarios:
dependencies:
# Vulnerability checking
vulnerability_sources:
- osv
- github_advisory
- nvd
severity_threshold: medium # low, medium, high, critical
# License compliance
allowed_licenses:
- MIT
- Apache-2.0
- BSD-3-Clause
- ISC
disallowed_licenses:
- GPL-3.0
- AGPL-3.0
# SBOM settings
sbom_format: cyclonedx # cyclonedx, spdx
# Scanning options
include_dev: true
max_depth: 10
cache_ttl: 3600 # seconds
CI/CD Integration¶
GitHub Actions¶
# .github/workflows/security.yml
name: Dependency Security
on:
push:
branches: [main]
pull_request:
jobs:
audit:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Install CodeGraph
run: pip install codegraph
- name: Check Vulnerabilities
run: codegraph deps audit --fail-on high
- name: Check Licenses
run: codegraph deps licenses --allowed MIT,Apache-2.0
- name: Generate SBOM
run: codegraph deps sbom --output sbom.json
- name: Upload SBOM
uses: actions/upload-artifact@v3
with:
name: sbom
path: sbom.json
GitLab CI¶
# .gitlab-ci.yml
security:audit:
stage: test
script:
- pip install codegraph
- codegraph deps audit --fail-on high
- codegraph deps sbom --output sbom.json
artifacts:
paths:
- sbom.json
Related Scenarios¶
- Security Audit - Vulnerability scanning
- Compliance - Compliance checking
- Code Optimization - Optimization suggestions