Eliminating SCA Noise using Dependency Usage Evidence
Table of Contents
A 3rd party dependency may be referenced in a package manifest such as
requirements.txt or package-lock.json but not actually used in code.
Vulnerabilities or other risks in such packages are not useful. Most SCA tools
today lack the code context information preventing them from distinguishing
between dependencies that are actually used in the codebase and those that are
not. SafeDep Code Analysis framework augments vet, our free and open source tool with code
context. This allows us to eliminate false positives and noise by considering
the actual usage of a dependency in the codebase. In this article, we will look
at how we can use dependency usage evidence to eliminate noise in SCA.
Getting Started
Ensure you have vet 1.9.2+ installed in
your system. For help with installation, refer to the vet Installation Guide.
Create Code Analysis Database
Analyse your code base to create a code analysis database:
vet code scan --app /path/to/code --db /tmp/code.dbRun vet Scan with Code Analysis Database
Run vet scan with code analysis database to augment vet results with
code context information:
vet scan -D /path/to/repository --code /tmp/code.dbDemo
- sca
- nextgen-sca
- code-analysis
- guide
Author
SafeDep Team
safedep.io
Share
The Latest from SafeDep blogs
Follow for the latest updates and insights on open source security & engineering
Miasma Worm Infects Multiple LeoPlatform npm Packages
A Miasma worm variant compromised a single maintainer account and used it to publish infected versions of 20 LeoPlatform npm packages within a 3-second window. The worm also pushed weaponized GitHub...
MYRA: A Full Linux RAT Distributed via npm
The npm package apintergrationpost is a red team RAT called MYRA with native C rootkit, triple persistence, fileless execution, live screen streaming, and process masquerade. This analysis documents...
The wshu.net npm Campaign Delivers a Multi-Stage Infostealer
One actor seeded 15 npm packages across 13 throwaway scopes in a single morning, each shipping a ~270KB obfuscated downloader behind a postinstall hook. The downloader pulls a Rust infostealer from...
@withgoogle/stitch-sdk: Scope Squat Harvests Developer Credentials
A malicious npm package squats the @withgoogle scope to impersonate Google Stitch, silently harvesting credentials from Claude Code, git, GitHub CLI, SSH keys, npm, and Docker on install.
Ship Code.
Not Malware.
Start free with open source tools on your machine. Scale to a unified platform for your organization.
