Skip to main content

Code Analysis

note

EXPERIMENTAL: This feature is experimental and may introduce breaking changes.

vet has a code analysis framework built on top of tree-sitter parsers. The goal of this framework is to support multiple languages, source repositories (local and remote), and create a representation of code that can be analysed for common software supply chain security related use-cases such as

  • Identify shadow imports
  • Identify evidence of a dependency actually being used
  • Import reachability analysis
  • Function reachability analysis
danger

The code analysis framework is designed specifically to be simple, fast and not to be a full-fledged static analysis tool. It is currently in early stages of development and may not support all languages or maintain API compatibility.

Build a Code Analysis Databaseโ€‹

  • Analyse code and build a database for further analysis.
vet code --db /tmp/code.db \
--src /path/to/app \
--imports /virtualenvs/app/lib/python3.11/site-packages \
--lang python \
create-db

The above command does the following:

  • Uses Python as the language for parsing source code
  • Analyses application code recursively in /path/to/app
  • Analyses dependencies in /virtualenvs/app/lib/python3.11/site-packages
  • Creates a database at /tmp/code.db for further analysis

Manual Query Executionโ€‹

Use cayleygraph to query the database.

docker run -it -p 64210:64210 -v /tmp/code.db:/db cayleygraph/cayley -a /db -d bolt
  • Navigate to http://127.0.0.1:64210 in your browser

Query Examplesโ€‹

Dependency Graphโ€‹

Build dependency graph for your application

g.V().Tag("source").out("imports").Tag("target").all()

Dependency Graph

Import Reachabilityโ€‹

Check if a specific import is reachable in your application

g.V("app").followRecursive(g.M().out("imports")).is("six").all()
  • app is the application originating from app.py
  • six is a python module imported transitively

Query APIโ€‹

Refer to Gizmo Query Language for documentation on constructing custom queries.