Dependency Tree Dashboard
The Dependency Tree dashboard provides a detailed view of your open-source dependencies and their vulnerabilities. It maps the full application dependency tree, allowing you to:
View details about each dependency, including its version and usage
See which repositories are using a specific dependency
Understand how a repository uses a dependency and its impact on problem severity level
Direct and Indirect Dependencies
LFX Security identifies vulnerabilities in both direct and indirect dependencies.
Direct Dependencies: Packages included in your repository.
Deep (Indirect) Dependencies: Packages used by your direct dependencies, which can introduce vulnerabilities.
Example:
Your application uses package A.
Package A uses package B.
If package B is vulnerable, your project is vulnerable due to its indirect dependency on package B.
Understanding Your Dependency Tree
As an open-source developer, it's essential to understand your project's direct and indirect dependencies, including any security flaws that may exist in the dependency tree. LFX Security helps you:
Identify all paths through the dependency tree where a vulnerable dependency can be reached
Determine the vulnerability and its impact on your project
To view all dependencies, perform the following:
Select Dependency Tree from the top menu and click All Dependencies.
A snapshot of repository dependencies in tree format is shown below. The tree is ordered by the number of dependencies, from most to least. Each item can have multiple sub-items. The first three levels are shown by default
You can select a repository from the Repository drop-down list or select using a Manifest file from the Manifest drop-down list. Only dependencies for the selected repository or manifest file for the selected project appear.
Navigate the tree to identify vulnerable dependencies in the repository. The issues are categorized into different Manifest files. The Manifest file lists the node-level and child-level dependences.
Each repository shows you the number of issues in the repository along with the criticality of the issue. Each criticality is defined with a different color.
A View button is available at the deeper level to go ahead and check the issue details. The color of the button will also indicate the criticality of the issue.
Click a license of interest to go to SPDX and find out more information about a license. The SPDX License includes a full name, standardized short identifier, vetted license text, and other information about the license.
You can also check the vulnerability details only for a particular repository.
To check the vulnerability details only, perform the following steps:
Click Dependency Tree and select Vulnerabilities Only.
2. List of vulnerabilities related for a particular repositories or Manifest file are listed. The rest of the details related to issues is similar to what is explained under All Dependencies Section.
Click the download icon to download the dependency CSV file.
An icon is also available which suggests that there are issues still available further in the child level dependencies.
Click the download icon to download the vulnerabilities CSV file.
