CodeGraph includes a built-in SCA module for dependency analysis, vulnerability checking, and SBOM generation. It covers GOST R 56939-2024 process 5.16 (Composition Analysis) requirements.
Overview¶
The SCA pipeline:
Dependency Parsers → SBOM Generator → Vulnerability Checker → Report
↓ ↓ ↓ ↓
7 parser modules CycloneDX 1.5 4 sources SARIF/GOST/JSON
7 ecosystems SPDX 2.3 SQLite cache CI exit codes
Supported Languages¶
| Language | Parser | Manifest Files |
|---|---|---|
| Python | PythonDependencyParser | requirements.txt, pyproject.toml, Pipfile, setup.py |
| JavaScript/TypeScript | JavaScriptDependencyParser | package.json, yarn.lock, pnpm-lock.yaml |
| Go | GoDependencyParser | go.mod, go.sum |
| Java/Kotlin | JavaDependencyParser | pom.xml, build.gradle, build.gradle.kts |
| C# | CSharpDependencyParser | *.csproj, packages.config, Directory.Packages.props |
| PHP | PHPDependencyParser | composer.json, composer.lock |
| C/C++ | CCppDependencyParser | conanfile.txt, conanfile.py, vcpkg.json, CMakeLists.txt |
Current implementation ships 7 parser modules covering Python, JavaScript/TypeScript, Go,
Java/Kotlin, C#, PHP, and C/C++. TypeScript uses the JavaScript parser. Kotlin uses the Java
parser (build.gradle.kts). 1C:Enterprise has no standard package manager.
Vulnerability Sources¶
| Source | Description | Auth |
|---|---|---|
| OSV | Open Source Vulnerability database | None |
| GitHub Advisory | GitHub Security Advisories (GraphQL) | GITHUB_TOKEN |
| NVD | NIST National Vulnerability Database (API v2.0) | NVD_API_KEY |
| BDU FSTEC | Russian federal vulnerability database | None |
Results are cached locally in SQLite (data/vuln_cache.sqlite) with configurable TTL.
CLI Commands¶
Generate SBOM¶
python -m src.cli sbom generate --format cyclonedx --output sbom.json
python -m src.cli sbom generate --format spdx --project myproject
Formats: cyclonedx (CycloneDX 1.5, default), spdx (SPDX 2.3).
Audit Dependencies¶
# Basic audit (OSV only)
python -m src.cli sbom audit
# Full audit with multiple sources
python -m src.cli sbom audit --sources osv,nvd,bdu --format sarif --output sca.sarif
# CI mode: exit code 1 if critical vulns found
python -m src.cli sbom audit --fail-on critical --format json
Exit codes:
- 0 — no vulnerabilities above threshold
- 1 — vulnerabilities above --fail-on threshold
- 2 — execution error
Output formats: json, sarif, markdown, gost.
Sync Vulnerability Cache¶
python -m src.cli sbom sync --sources osv,nvd,bdu
python -m src.cli sbom sync --force # clear and re-sync
Generate GOST Report¶
python -m src.cli sbom gost-report --language ru --output gost_sca.md
python -m src.cli sbom gost-report --language en
Generates a Markdown report with four sections required by GOST R 56939-2024 5.16.3: - 5.16.3.2 — Dependencies list - 5.16.3.3 — Version currency check - 5.16.3.4 — Vulnerability results - 5.16.3.5 — Update recommendations
REST API¶
All SCA routes are mounted under /api/v1/deps.
Project-Scoped Endpoints (primary contract)¶
| Method | Path | Description |
|---|---|---|
| GET | /api/v1/deps/projects/{project_name}/summary |
Registered-project SCA summary with scan_status, inventory counts, and license/vulnerability counters |
| GET | /api/v1/deps/projects/{project_name}/dependencies |
Dependency inventory for the registered project |
| GET | /api/v1/deps/projects/{project_name}/vulnerabilities |
Live vulnerability results for the registered project |
| GET | /api/v1/deps/projects/{project_name}/sbom |
Export project SBOM in spdx or cyclonedx |
| POST | /api/v1/deps/projects/{project_name}/audit |
Project-scoped vulnerability audit (json or sarif) |
| GET | /api/v1/deps/projects/{project_name}/gost-report |
Project-scoped GOST 5.16.3 Markdown report |
The Web SCA / SBOM screens use the project-scoped endpoints above. The dashboard portfolio
aggregate /api/v2/dashboard/sca/overview is still available, but it is not the primary source
for the project SCA page.
Legacy Scan-Scoped Compatibility Endpoints¶
These endpoints are still available for CLI/manual workflows that explicitly seed a temporary
graph via /scan, but they are not the canonical multi-project product contract:
| Method | Path | Description |
|---|---|---|
| POST | /api/v1/deps/scan |
Scan an arbitrary path into the legacy in-memory graph |
| GET | /api/v1/deps/list |
Read dependencies from the last legacy scan |
| GET | /api/v1/deps/graph |
Read the dependency graph from the last legacy scan |
| POST | /api/v1/deps/check-vulnerabilities |
Check vulnerabilities for the last legacy scan |
| GET | /api/v1/deps/outdated |
Outdated packages for the last legacy scan |
| GET | /api/v1/deps/licenses |
License summary for the last legacy scan |
| GET | /api/v1/deps/health-score |
Health score for the last legacy scan |
| GET | /api/v1/deps/sbom |
Export SBOM for the last legacy scan |
| POST | /api/v1/deps/audit |
Audit the last legacy scan |
| GET | /api/v1/deps/gost-report |
GOST report for the last legacy scan |
| POST | /api/v1/deps/sync-cache |
Sync the shared vulnerability cache |
POST /api/v1/deps/projects/{project_name}/audit¶
Audit dependencies for vulnerabilities with configurable sources and threshold.
{
"sources": ["osv", "nvd", "bdu_fstec"],
"fail_on": "critical",
"format": "json"
}
Response includes threshold_breached: true if vulnerabilities exceed the threshold.
GET /api/v1/deps/projects/{project_name}/gost-report¶
Generate GOST 5.16.3 report.
GET /api/v1/deps/projects/codegraph/gost-report?language=ru
Returns {"format": "markdown", "language": "ru", "content": "..."}.
POST /api/v1/deps/sync-cache¶
Sync local vulnerability cache.
{
"sources": ["osv", "nvd", "bdu_fstec"],
"force": false
}
MCP Tools¶
Three MCP tools for IDE integration:
| Tool | Description |
|---|---|
codegraph_sbom_generate |
Generate SBOM (format, project) |
codegraph_sbom_audit |
Audit vulnerabilities (sources, fail_on, format) |
codegraph_sbom_sync |
Sync vulnerability cache (sources, force) |
Configuration¶
In config.yaml under dependencies:
dependencies:
enabled: true
vulnerability:
sources: [osv, github_advisory, nvd, bdu_fstec]
vuln_cache:
enabled: true
db_path: "data/vuln_cache.sqlite"
ttl_hours: 24
sync_interval_hours: 12
sources:
osv:
enabled: true
nvd:
enabled: true
api_key_env: "NVD_API_KEY"
rate_limit_per_second: 5
bdu_fstec:
enabled: true
base_url: "https://bdu.fstec.ru/api"
github_advisory:
enabled: true
token_env: "GITHUB_TOKEN"
ci:
fail_on: "critical"
sarif_output: "sca-results.sarif"
sbom:
default_format: "cyclonedx"
cyclonedx_version: "1.5"
include_dev_deps: false
Access via get_unified_config().sca:
from src.config import get_unified_config
cfg = get_unified_config().sca
cfg.ci_fail_on # "critical"
cfg.sbom_default_format # "cyclonedx"
cfg.vuln_cache_ttl_hours # 24
CI Integration¶
A GitHub Actions workflow is provided at .github/workflows/sca-audit.yml:
- name: Audit dependencies
run: python -m src.cli sbom audit --sources osv --format sarif --output sca-results.sarif --fail-on critical
- name: Upload SARIF
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: sca-results.sarif
The workflow triggers on changes to dependency manifest files and:
1. Generates a CycloneDX SBOM
2. Audits with --fail-on critical (blocks pipeline on critical CVEs)
3. Uploads SARIF to GitHub Code Scanning
4. Saves SBOM as build artifact
GOST R 56939-2024 Compliance¶
The SCA module covers process 5.16 with the SCAEvaluator in the compliance framework. Run:
python -m src.cli compliance gost-56939 --format markdown --language ru
The evaluator checks for 5 artifacts: 1. SBOM (5.16.3.2) 2. Currency check (5.16.3.3) 3. Vulnerability scan (5.16.3.4) 4. Update recommendations (5.16.3.5) 5. Multiple vulnerability sources
Status mapping: 0 met = GAP, 1-3 met = PARTIAL, 4-5 met = FULL.
SARIF Export¶
SCA findings are exported in SARIF 2.1.0 format, compatible with: - GitHub Code Scanning - VS Code SARIF Viewer - Azure DevOps
Severity mapping: CRITICAL/HIGH → error, MEDIUM → warning, LOW → note.
Each finding includes:
- Manifest file location and line number
- Fix version (if available)
- Suppression support (suppressed, suppression_reason)
Architecture¶
src/dependencies/
parsers/
python.py, javascript.py, go.py # existing
java.py, c_cpp.py, csharp.py, php.py # new
__init__.py # ALL_PARSERS registry
models.py # Dependency, Vulnerability, SCAFinding, etc.
vulnerability.py # VulnerabilityChecker (OSV, GitHub, NVD, BDU FSTEC)
vuln_cache.py # SQLite cache with TTL
license_checker.py # CycloneDX 1.5, SPDX 2.3
sarif_export.py # SARIF 2.1.0 for SCA findings
gost_report.py # GOST 5.16.3 report generator
graph.py # DependencyGraphBuilder (NetworkX)
analyzer.py # Outdated, unused, health score
src/cli/sbom_commands.py # CLI: sbom generate/audit/sync/gost-report
src/api/routers/dependencies.py # REST API (project-scoped + legacy compatibility)
src/mcp/tools/sca.py # MCP tools (3)
src/compliance/gost_56939/evaluators/automated.py # SCAEvaluator