vet can identify dependency usage in your code using static code analysis. This is particularly useful when dealing with vulnerabilities, allowing you to prioritize only those dependencies you’ve actually used in your code.

Why Identify Dependency Usage?

Risk Prioritization

Focus security efforts on dependencies actually used in production code

Cleanup Opportunities

Identify and remove unused dependencies to reduce attack surface

Accurate Assessment

Get precise security posture by analyzing real dependency usage

Faster Remediation

Skip vulnerabilities in unused dependencies to speed up security fixes

Demo

Quick Start

Step 1: Create Code Analysis Database

Build a code analysis database with dependency usage evidence for source code:

vet code scan --app src --db /tmp/dump/vet-test.db

This command:

  • Analyzes all source code in the src directory
  • Extracts dependency usage patterns and import statements
  • Stores findings in a SQLite database for later use

Step 2: Enhanced Scanning

Perform a vet scan enriched with dependency usage evidence:

vet scan --code /tmp/dump/vet-test.db

The scan will now include:

  • Usage Evidence: Which dependencies are actually imported and used
  • Used-in-Code Tags: Clear indicators showing actual usage of libraries
  • Prioritized Results: Focus on dependencies with real usage

Advanced Usage Patterns

Language-Specific Analysis

Analyze specific programming languages:

# Python projects
vet code scan --app src --db python-analysis.db --lang python

# JavaScript/TypeScript projects  
vet code scan --app src --db js-analysis.db --lang javascript

# Multi-language projects
vet code scan --app src --db full-analysis.db  # Auto-detect all languages

Understanding the Results

Usage Evidence Types

The code analysis provides several types of evidence:

# Python example
import requests
from flask import Flask

These direct imports are tracked as usage evidence.

Tags and Annotations

In the scan results, you’ll see tags like:

  • used-in-code: Dependency is actually used in source code
  • imported: Module is imported but usage unclear
  • declared-only: Listed in manifest but no code usage found

Best Practices

Troubleshooting