Code Analysis
EXPERIMENTAL: This feature is experimental and may introduce breaking changes.
vet has a code analysis framework built on top of tree-sitter parsers. The goal
of this framework is to support multiple languages, source repositories (local and remote),
and create a representation of code that can be analysed for common software
supply chain security related use-cases such as
- Identify shadowed imports
- Identify evidence of a dependency actually being used
- Import reachability analysis
- Function reachability analysis
The code analysis framework is designed specifically to be simple, fast and not to be a full-fledged static analysis tool. It is currently in early stages of development and may not support all languages or maintain API compatibility.
Build a Code Analysis Databaseβ
- Analyse code and build a database for further analysis.
vet code --db /tmp/code.db \
--src /path/to/app \
--imports /virtualenvs/app/lib/python3.11/site-packages \
--lang python \
create-db
The above command does the following:
- Uses Python as the language for parsing source code
- Analyses application code recursively in
/path/to/app - Analyses dependencies in
/virtualenvs/app/lib/python3.11/site-packages - Creates a database at
/tmp/code.dbfor further analysis
Manual Query Executionβ
Use cayleygraph to query the database.
docker run -it -p 64210:64210 -v /tmp/code.db:/db cayleygraph/cayley -a /db -d bolt
- Navigate to
http://127.0.0.1:64210in your browser
Query Examplesβ
Dependency Graphβ
Build dependency graph for your application
g.V().Tag("source").out("imports").Tag("target").all()
Import Reachabilityβ
Check if a specific import is reachable in your application
g.V("app").followRecursive(g.M().out("imports")).is("six").all()
appis the application originating fromapp.pysixis a python module imported transitively
Query APIβ
Refer to Gizmo Query Language for documentation on constructing custom queries.