Code Analysis
Analyze code and dependency usage patterns with vet’s code analysis features
EXPERIMENTAL: This feature is experimental and may introduce breaking changes.
vet
uses the code analysis framework built on top of tree-sitter parsers. The goal of this framework is to support multiple languages, source repositories (local and remote), and report the findings.
vet
uses these findings to create a Code analysis database, which can be used for enriching and analyzing manifests during scanning.
Build a Code Analysis Database
Analyze code and build a SQLite database for further analysis. This is a prerequisite to enable code analysis features in vet scan
.
What This Command Does
Code Analysis
Utilizes the code framework to analyze application code recursively in the specified directory
Language Support
Supports multiple languages - omit --lang
to analyze all supported languages
Database Creation
Creates a SQLite database with reported findings for later use
Tree-sitter Powered
Uses tree-sitter parsers for accurate code parsing and analysis
Supported Languages
The code analysis framework supports multiple programming languages through tree-sitter parsers:
- Python
- JavaScript/TypeScript
- Java
- Go
- And more…
Omit the --lang
parameter to enable analysis of all supported languages automatically.
Scan with Dependency Usage Analysis
To enable code analysis features in vet scan
, provide the Code analysis database path using the --code
flag.
Dependency usage analysis is a fundamental feature that’s enabled by default when using a code database.
Enhanced Scanning Features
When using code analysis, vet scan
provides:
- Manifest Analysis: Analyzes package manifests in the specified directory
- Usage Enrichment: Uses the Code Analysis database to enrich packages with dependency usage data
- Evidence-Based Results: Shows scan summary with usage evidences and
used-in-code
tags proving actual library usage
Practical Example
Here’s a complete workflow for analyzing a Python project:
Analyze Code
Build the code analysis database for your Python project:
Enhanced Scan
Run vet scan with code analysis integration:
Review Results
Check the scan results for:
- Dependencies actually used in code vs. declared
- Unused dependencies that could be removed
- Usage patterns and import analysis
Benefits of Code Analysis
Accurate Risk Assessment
By identifying which dependencies are actually used in your code, you can:
- Prioritize security fixes for actively used packages
- Ignore vulnerabilities in unused dependencies
- Make informed decisions about dependency removal
Dependency Optimization
Code analysis helps identify:
- Unused Dependencies: Packages declared but never imported
- Over-declared Dependencies: Libraries with minimal usage
- Missing Dependencies: Code imports without corresponding declarations
Supply Chain Insights
Enhanced visibility into:
- How dependencies are used throughout your codebase
- Which functions/modules are imported from each package
- Dependency usage patterns and trends
Advanced Usage
Multi-language Projects
For projects with multiple languages, run analysis without the --lang
flag:
Custom Database Locations
Organize analysis databases by project or environment: