Eliminating SCA Noise using Dependency Usage Evidence
Table of Contents
A 3rd party dependency may be referenced in a package manifest such as requirements.txt
or package-lock.json
but not actually used in code. Vulnerabilities or other risks in such packages are not useful. Most SCA tools today lack the code context information preventing them from distinguishing between dependencies that are actually used in the codebase and those that are not. SafeDep Code Analysis framework augments vet, our free and open source tool with code context. This allows us to eliminate false positives and noise by considering the actual usage of a dependency in the codebase. In this article, we will look at how we can use dependency usage evidence to eliminate noise in SCA.
Getting Started
Ensure you have vet 1.9.2+
installed in your system. For help with installation, refer to the vet Installation Guide.
Create Code Analysis Database
Analyse your code base to create a code analysis database:
vet code scan --app /path/to/code --db /tmp/code.db
Run vet
Scan with Code Analysis Database
Run vet
scan with code analysis database to augment vet
results with code context information:
vet scan -D /path/to/repository --code /tmp/code.db
Demo
- sca
- nextgen-sca
- code-analysis
- guide
Author
SafeDep Team
safedep.io
Share
The Latest from SafeDep blogs
Follow for the latest updates and insights on open source security & engineering

Ship Code. Not Malware. SafeDep Launches GitHub App for Malicious Package Protection
SafeDep launches a GitHub App for zero-configuration protection against malicious open source packages. Instantly scan pull requests and keep your code repositories safe from supply chain attacks.

Diff-based SCA with AI is Broken — Real Examples from Pipfile.lock, yarn.lock, and Cargo.lock
Diff-based Software Composition Analysis (SCA) scanners in pull requests are prone to blind spots. By relying only on git diff data, they miss package context, suffer from nondeterministic...

Shai-Hulud Supply Chain Attack Incident Response
The Shai-Hulud supply chain attack is a major incident targeting developers through malicious packages in the npm ecosystem. This post outlines the incident response steps that can be taken to...

npm Supply Chain Attack Exposes Private Repositories, AWS Credentials and More
npm supply chain attacks continue. This time targeting @ctrl/tinycolor and multiple other packages with credential stealer malware. In this blog, we will analyze the attack and its impact on the npm...

Ship Code
Not Malware
Install the SafeDep GitHub App to keep malicious packages out of your repos.
