Software Composition Analysis
dpndncY resolves your direct and transitive dependencies across 30+ ecosystems, correlates each component against OSV / NVD / GHSA, and ranks findings by real exploitability — KEV, EPSS, ExploitDB, and code-level reachability — instead of raw CVE count. Where there is no manifest to read, it identifies components by binary/source signature.
How resolution works
SCA runs in three stages: discovery, resolution, and correlation.
- Discovery walks the project (skipping
node_modules,.git, build output, vendored caches) and identifies every manifest and lockfile it understands. - Resolution is lockfile-first: when a lockfile is present, dpndncY reads the exact pinned graph — direct + transitive, with resolved versions and integrity hashes. When only a manifest exists, it resolves direct dependencies and best-effort transitives (for Maven it can shell out to
mvn dependency:treefor an exact graph). - Correlation matches every resolved component (by purl) against the advisory and exploit-signal stack, then scores it.
Supported ecosystems
| Language / platform | Managers & lockfiles |
|---|---|
| JavaScript / TypeScript | npm, Yarn, pnpm, Lerna (package-lock.json, yarn.lock, pnpm-lock.yaml) |
| Python | pip, Pipenv, Poetry, Conda (requirements.txt, Pipfile.lock, poetry.lock, environment.yml) |
| JVM | Maven, Gradle, Apache Ivy, SBT |
| .NET | NuGet (packages.lock.json, .csproj/.fsproj/.vbproj, project.assets.json) |
| PHP | Composer / Packagist, PEAR |
| Go | Go Modules, Go Dep, Go Vendor (go.sum, Gopkg.lock, vendor/modules.txt) |
| Rust | Cargo (Cargo.lock) |
| Apple | CocoaPods, Carthage, Swift PM, Xcode (.pbxproj) |
| C / C++ | Conan, vcpkg, Bazel, CMake |
| Ruby | RubyGems (Gemfile.lock) |
| Others | Perl (CPAN), R (CRAN), Dart (Pub), Erlang/Elixir (Hex, rebar), OCaml (OPAM), Yocto (BitBake) |
The exploitability signal stack
Every vulnerable component is enriched with the same signals the firewall and decision engine use:
| Signal | Source | Answers |
|---|---|---|
| Advisory match | OSV · NVD · GHSA | Is there a known CVE/advisory for this version? |
| CVSS | NVD | How severe is it in the abstract? |
| EPSS | FIRST.org | Probability it is exploited in the next 30 days |
| KEV | CISA | Is it known to be exploited in the wild? |
| ExploitDB | Exploit-DB | Is there public exploit code? |
| Reachability | dpndncY SAST | Is the vulnerable symbol actually called from your code? (JS/TS, Python) |
Reachability
A CVE in a dependency you never call is not the same risk as one you call on every request. For JS/TS and Python, dpndncY builds a call graph from your source and checks whether the advisory’s vulnerable symbol is reachable. Reachable findings are prioritised; unreachable ones are surfaced but de-emphasised so you triage what matters first.
Signature / binary composition
Manifest-based SCA only sees what a lockfile declares. Vendored source, statically-linked C/C++, and repackaged archives carry no manifest but still carry known-vulnerable OSS. Signature analysis recovers those components by content fingerprint (file SHA-256, structural codeprints, fuzzy snippet shingles) and feeds them into the same correlation stack. See Signature / binary scan.
Run a scan
# scan a project directory
dpndncy scan ./my-app
# fail CI on policy violations
dpndncy scan ./my-app --policy default --fail-on high
# emit an SBOM alongside findings
dpndncy scan ./my-app --sbom cyclonedx > sbom.jsonOutputs
- SBOM — CycloneDX 1.5, SPDX
- Findings — SARIF 2.1.0, JSON, CSV, PDF
- Licenses — normalised SPDX IDs + obligations (attribution, copyleft scope, NOTICE)
See also
- SAST — the taint engine that powers reachability
- Attack-path graph — how reachable vulns map to entry points
- Dependency Firewall — block risky installs before they land
- CLI reference