Dependency Usage Identification
Identify which dependencies are actually used in your code using static code analysis
vet
can identify dependency usage in your code using static code analysis. This is particularly useful when dealing with vulnerabilities, allowing you to prioritize only those dependencies you’ve actually used in your code.
Why Identify Dependency Usage?
Risk Prioritization
Focus security efforts on dependencies actually used in production code
Cleanup Opportunities
Identify and remove unused dependencies to reduce attack surface
Accurate Assessment
Get precise security posture by analyzing real dependency usage
Faster Remediation
Skip vulnerabilities in unused dependencies to speed up security fixes
Demo
Quick Start
Step 1: Create Code Analysis Database
Build a code analysis database with dependency usage evidence for source code:
This command:
- Analyzes all source code in the
src
directory - Extracts dependency usage patterns and import statements
- Stores findings in a SQLite database for later use
Step 2: Enhanced Scanning
Perform a vet scan enriched with dependency usage evidence:
The scan will now include:
- Usage Evidence: Which dependencies are actually imported and used
- Used-in-Code Tags: Clear indicators showing actual usage of libraries
- Prioritized Results: Focus on dependencies with real usage
Advanced Usage Patterns
Language-Specific Analysis
Analyze specific programming languages:
Understanding the Results
Usage Evidence Types
The code analysis provides several types of evidence:
These direct imports are tracked as usage evidence.
These direct imports are tracked as usage evidence.
Actual usage of imported modules is recorded.
References to specific classes and methods are tracked.
Tags and Annotations
In the scan results, you’ll see tags like:
used-in-code
: Dependency is actually used in source codeimported
: Module is imported but usage uncleardeclared-only
: Listed in manifest but no code usage found
Best Practices
Regular Updates
Regular Updates
Rebuild code analysis databases when:
- Source code changes significantly
- New dependencies are added
- Major refactoring occurs
Environment Separation
Environment Separation
Create separate analyses for different environments:
Policy Design
Policy Design
Design policies that leverage usage information:
- Prioritize used dependencies for security fixes
- Allow more lenient policies for unused dependencies
- Focus on critical paths and core functionality
Troubleshooting
No Usage Evidence Found
No Usage Evidence Found
If no usage evidence is detected:
- Verify the source code path is correct
- Check that the programming language is supported
- Ensure import statements follow standard conventions
Database Size Issues
Database Size Issues
For large codebases:
- Analyze specific directories instead of entire projects
- Clean up old analysis databases regularly
- Consider using separate databases for different components
Performance Considerations
Performance Considerations
Code analysis adds processing time:
- Cache analysis databases between builds
- Run analysis incrementally when possible
- Consider the trade-off between accuracy and speed