Investigate Dependencies in the Application Dependency Tree

Dependency Tree Dashboard

The Dependency Tree dashboard provides a detailed view of your open-source dependencies and their vulnerabilities. It maps the full application dependency tree, allowing you to:

  • View details about each dependency, including its version and usage

  • See which repositories are using a specific dependency

  • Understand how a repository uses a dependency and its impact on problem severity level

Direct and Indirect Dependencies

LFX Security identifies vulnerabilities in both direct and indirect dependencies.

  • Direct Dependencies: Packages included in your repository.

  • Deep (Indirect) Dependencies: Packages used by your direct dependencies, which can introduce vulnerabilities.

Example:

  • Your application uses package A.

  • Package A uses package B.

  • If package B is vulnerable, your project is vulnerable due to its indirect dependency on package B.

Understanding Your Dependency Tree

As an open-source developer, it's essential to understand your project's direct and indirect dependencies, including any security flaws that may exist in the dependency tree. LFX Security helps you:

  • Identify all paths through the dependency tree where a vulnerable dependency can be reached

  • Determine the vulnerability and its impact on your project

All Dependencies

To view all dependencies, perform the following:

  1. Select Dependency Tree from the top menu and click All Dependencies.

A snapshot of repository dependencies in tree format is shown below. The tree is ordered by the number of dependencies, from most to least. Each item can have multiple sub-items. The first three levels are shown by default

  1. You can select a repository from the Repository drop-down list or select using a Manifest file from the Manifest drop-down list. Only dependencies for the selected repository or manifest file for the selected project appear.

  1. Navigate the tree to identify vulnerable dependencies in the repository. The issues are categorized into different Manifest files. The Manifest file lists the node-level and child-level dependences.

Each repository shows you the number of issues in the repository along with the criticality of the issue. Each criticality is defined with a different color.

A View button is available at the deeper level to go ahead and check the issue details. The color of the button will also indicate the criticality of the issue.

  1. Click a license of interest to go to SPDX and find out more information about a license. The SPDX License includes a full name, standardized short identifier, vetted license text, and other information about the license.

Vulnerability Details

You can also check the vulnerability details only for a particular repository.

To check the vulnerability details only, perform the following steps:

  1. Click Dependency Tree and select Vulnerabilities Only.

2. List of vulnerabilities related for a particular repositories or Manifest file are listed. The rest of the details related to issues is similar to what is explained under All Dependencies Section.

Last updated

Copyright © 2022 The Linux Foundation®. All rights reserved. The Linux Foundation has registered trademarks and uses trademarks.