Secure your projectsEliminating SCA Noise using Dependency Usage Evidence
A 3rd party dependency may be referenced in a package manifest such as requirements.txt or package-lock.json but not actually used in code. Vulnerabilities or other risks in such packages are not useful. Most SCA tools today lack the code context information preventing them from distinguishing between dependencies that are actually used in the codebase and those that are not. SafeDep Code Analysis framework augments vet, our free and open source tool with code context. This allows us to eliminate false positives and noise by considering the actual usage of a dependency in the codebase. In this article, we will look at how we can use dependency usage evidence to eliminate noise in SCA.
Getting Started
Ensure you have vet 1.9.2+ installed in your system. For help with installation, refer to the vet Installation Guide.
Create Code Analysis Database
Analyse your code base to create a code analysis database:
vet code scan --app /path/to/code --db /tmp/code.dbRun vet Scan with Code Analysis Database
Run vet scan with code analysis database to augment vet results with code context information:
vet scan -D /path/to/repository --code /tmp/code.dbDemo
Share this article
Ready to Secure Your Open Source Dependencies?
Join thousands of developers and organizations who trust SafeDep to protect their software supply chain.
