Code Analysis
EXPERIMENTAL: This feature is experimental and may introduce breaking changes.
vet
has a code analysis framework built on top of tree-sitter parsers. The goal
of this framework is to support multiple languages, source repositories (local and remote),
and create a representation of code that can be analysed for common software
supply chain security related use-cases such as
- Identify shadow imports
- Identify evidence of a dependency actually being used
- Import reachability analysis
- Function reachability analysis
The code analysis framework is designed specifically to be simple, fast and not to be a full-fledged static analysis tool. It is currently in early stages of development and may not support all languages or maintain API compatibility.
Build a Code Analysis Databaseโ
- Analyse code and build a database for further analysis.
vet code --db /tmp/code.db \
--src /path/to/app \
--imports /virtualenvs/app/lib/python3.11/site-packages \
--lang python \
create-db
The above command does the following:
- Uses Python as the language for parsing source code
- Analyses application code recursively in
/path/to/app
- Analyses dependencies in
/virtualenvs/app/lib/python3.11/site-packages
- Creates a database at
/tmp/code.db
for further analysis
Manual Query Executionโ
Use cayleygraph to query the database.
docker run -it -p 64210:64210 -v /tmp/code.db:/db cayleygraph/cayley -a /db -d bolt
- Navigate to
http://127.0.0.1:64210
in your browser
Query Examplesโ
Dependency Graphโ
Build dependency graph for your application
g.V().Tag("source").out("imports").Tag("target").all()
Import Reachabilityโ
Check if a specific import is reachable in your application
g.V("app").followRecursive(g.M().out("imports")).is("six").all()
app
is the application originating fromapp.py
six
is a python module imported transitively
Query APIโ
Refer to Gizmo Query Language for documentation on constructing custom queries.