dpndncY

Software Composition Analysis

dpndncY resolves your direct and transitive dependencies across 30+ ecosystems, correlates each component against OSV / NVD / GHSA, and ranks findings by real exploitability — KEV, EPSS, ExploitDB, and code-level reachability — instead of raw CVE count. Where there is no manifest to read, it identifies components by binary/source signature.

How resolution works

SCA runs in three stages: discovery, resolution, and correlation.

  • Discovery walks the project (skipping node_modules, .git, build output, vendored caches) and identifies every manifest and lockfile it understands.
  • Resolution is lockfile-first: when a lockfile is present, dpndncY reads the exact pinned graph — direct + transitive, with resolved versions and integrity hashes. When only a manifest exists, it resolves direct dependencies and best-effort transitives (for Maven it can shell out to mvn dependency:tree for an exact graph).
  • Correlation matches every resolved component (by purl) against the advisory and exploit-signal stack, then scores it.
Lockfiles give you the truth
Commit your lockfile. With a lockfile, version capture is ~100% and the transitive graph is exact. Without one, transitive coverage depends on the ecosystem’s resolver.

Supported ecosystems

Language / platformManagers & lockfiles
JavaScript / TypeScriptnpm, Yarn, pnpm, Lerna (package-lock.json, yarn.lock, pnpm-lock.yaml)
Pythonpip, Pipenv, Poetry, Conda (requirements.txt, Pipfile.lock, poetry.lock, environment.yml)
JVMMaven, Gradle, Apache Ivy, SBT
.NETNuGet (packages.lock.json, .csproj/.fsproj/.vbproj, project.assets.json)
PHPComposer / Packagist, PEAR
GoGo Modules, Go Dep, Go Vendor (go.sum, Gopkg.lock, vendor/modules.txt)
RustCargo (Cargo.lock)
AppleCocoaPods, Carthage, Swift PM, Xcode (.pbxproj)
C / C++Conan, vcpkg, Bazel, CMake
RubyRubyGems (Gemfile.lock)
OthersPerl (CPAN), R (CRAN), Dart (Pub), Erlang/Elixir (Hex, rebar), OCaml (OPAM), Yocto (BitBake)

The exploitability signal stack

Every vulnerable component is enriched with the same signals the firewall and decision engine use:

SignalSourceAnswers
Advisory matchOSV · NVD · GHSAIs there a known CVE/advisory for this version?
CVSSNVDHow severe is it in the abstract?
EPSSFIRST.orgProbability it is exploited in the next 30 days
KEVCISAIs it known to be exploited in the wild?
ExploitDBExploit-DBIs there public exploit code?
ReachabilitydpndncY SASTIs the vulnerable symbol actually called from your code? (JS/TS, Python)

Reachability

A CVE in a dependency you never call is not the same risk as one you call on every request. For JS/TS and Python, dpndncY builds a call graph from your source and checks whether the advisory’s vulnerable symbol is reachable. Reachable findings are prioritised; unreachable ones are surfaced but de-emphasised so you triage what matters first.

Signature / binary composition

Manifest-based SCA only sees what a lockfile declares. Vendored source, statically-linked C/C++, and repackaged archives carry no manifest but still carry known-vulnerable OSS. Signature analysis recovers those components by content fingerprint (file SHA-256, structural codeprints, fuzzy snippet shingles) and feeds them into the same correlation stack. See Signature / binary scan.

Run a scan

CLI
# scan a project directory
dpndncy scan ./my-app

# fail CI on policy violations
dpndncy scan ./my-app --policy default --fail-on high

# emit an SBOM alongside findings
dpndncy scan ./my-app --sbom cyclonedx > sbom.json

Outputs

  • SBOM — CycloneDX 1.5, SPDX
  • Findings — SARIF 2.1.0, JSON, CSV, PDF
  • Licenses — normalised SPDX IDs + obligations (attribution, copyleft scope, NOTICE)
Advisory coverage varies by ecosystem
npm, PyPI, Maven, RubyGems, Go, Composer, Cargo, and Pub have deep OSV/GHSA coverage. Niche ecosystems (Swift PM, CRAN, CPAN, Conda) parse and resolve correctly but have far fewer published advisories — fewer findings there reflects the advisory ecosystem, not a parser gap.

See also