Dependency Usage Identification

vet can identify dependency usage in your code using static code analysis. This is particularly useful when dealing with vulnerabilities, allowing you to prioritize only those dependencies you’ve actually used in your code.

Why Identify Dependency Usage?

Risk Prioritization

Focus security efforts on dependencies actually used in production code

Cleanup Opportunities

Identify and remove unused dependencies to reduce attack surface

Accurate Assessment

Get precise security posture by analyzing real dependency usage

Faster Remediation

Skip vulnerabilities in unused dependencies to speed up security fixes

Demo

Quick Start

Step 1: Create Code Analysis Database

Build a code analysis database with dependency usage evidence for source code:

vet code scan --app src --db /tmp/dump/vet-test.db

This command:

Analyzes all source code in the src directory
Extracts dependency usage patterns and import statements
Stores findings in a SQLite database for later use

Step 2: Enhanced Scanning

Perform a vet scan enriched with dependency usage evidence:

vet scan --code /tmp/dump/vet-test.db

The scan will now include:

Usage Evidence: Which dependencies are actually imported and used
Used-in-Code Tags: Clear indicators showing actual usage of libraries
Prioritized Results: Focus on dependencies with real usage

Advanced Usage Patterns

Language-Specific Analysis

Analyze specific programming languages:

# Python projects
vet code scan --app src --db python-analysis.db --lang python

# JavaScript/TypeScript projects  
vet code scan --app src --db js-analysis.db --lang javascript

# Multi-language projects
vet code scan --app src --db full-analysis.db  # Auto-detect all languages

Understanding the Results

Usage Evidence Types

The code analysis provides several types of evidence:

# Python example
import requests
from flask import Flask

These direct imports are tracked as usage evidence.

Tags and Annotations

In the scan results, you’ll see tags like:

used-in-code: Dependency is actually used in source code
imported: Module is imported but usage unclear
declared-only: Listed in manifest but no code usage found

Best Practices

Regular Updates

Environment Separation

Policy Design

Troubleshooting

No Usage Evidence Found

Database Size Issues

Performance Considerations

Code Analysis Guide

Learn more about vet’s code analysis capabilities

Policy as Code

Create policies that leverage usage information

vet Repository

Access complete documentation and examples

Tree-sitter Parsers

Learn about the parsing technology behind code analysis

Get Started

Concepts

Integration Guides

SBOM & Analysis

API & Automation

Advanced Usage

Why Identify Dependency Usage?

Risk Prioritization

Cleanup Opportunities

Accurate Assessment

Faster Remediation

Demo

Quick Start

Step 1: Create Code Analysis Database

Step 2: Enhanced Scanning

Advanced Usage Patterns

Language-Specific Analysis

Understanding the Results

Usage Evidence Types

Tags and Annotations

Best Practices

Troubleshooting

Code Analysis Guide

Policy as Code

vet Repository

Tree-sitter Parsers

Get Started

Concepts

Integration Guides

SBOM & Analysis

API & Automation

Advanced Usage

​Why Identify Dependency Usage?

Risk Prioritization

Cleanup Opportunities

Accurate Assessment

Faster Remediation

​Demo

​Quick Start

​Step 1: Create Code Analysis Database

​Step 2: Enhanced Scanning

​Advanced Usage Patterns

​Language-Specific Analysis

​Understanding the Results

​Usage Evidence Types

​Tags and Annotations

​Best Practices

​Troubleshooting

Code Analysis Guide

Policy as Code

vet Repository

Tree-sitter Parsers

Why Identify Dependency Usage?

Demo

Quick Start

Step 1: Create Code Analysis Database

Step 2: Enhanced Scanning

Advanced Usage Patterns

Language-Specific Analysis

Understanding the Results

Usage Evidence Types

Tags and Annotations

Best Practices

Troubleshooting