Eliminating SCA Noise using Dependency Usage Evidence

A 3rd party dependency may be referenced in a package manifest such as requirements.txt or package-lock.json but not actually used in code. Vulnerabilities or other risks in such packages are not useful. Most SCA tools today lack the code context information preventing them from distinguishing between dependencies that are actually used in the codebase and those that are not. SafeDep Code Analysis framework augments vet, our free and open source tool with code context. This allows us to eliminate false positives and noise by considering the actual usage of a dependency in the codebase. In this article, we will look at how we can use dependency usage evidence to eliminate noise in SCA.

Getting Started

Ensure you have vet 1.9.2+ installed in your system. For help with installation, refer to the vet Installation Guide.

Create Code Analysis Database

Analyse your code base to create a code analysis database:

1
vet code scan --app /path/to/code --db /tmp/code.db

Run vet Scan with Code Analysis Database

Run vet scan with code analysis database to augment vet results with code context information:

1
vet scan -D /path/to/repository --code /tmp/code.db

Demo