EXPERIMENTAL: This feature is experimental and may introduce breaking changes.
vet uses the code analysis framework built on top of tree-sitter parsers. The goal of this framework is to support multiple languages, source repositories (local and remote), and report the findings.
vet uses these findings to create a Code analysis database, which can be used for enriching and analyzing manifests during scanning.
Build a Code Analysis Database
Analyze code and build a SQLite database for further analysis. This is a prerequisite to enable code analysis features invet scan.
What This Command Does
Code Analysis
Utilizes the code framework to analyze application code recursively in the specified directory
Language Support
Supports multiple languages - omit
--lang to analyze all supported languagesDatabase Creation
Creates a SQLite database with reported findings for later use
Tree-sitter Powered
Uses tree-sitter parsers for accurate code parsing and analysis
Supported Languages
The code analysis framework supports multiple programming languages through tree-sitter parsers:- Python
- JavaScript/TypeScript
- Java
- Go
- And more…
Omit the
--lang parameter to enable analysis of all supported languages automatically.Scan with Dependency Usage Analysis
To enable code analysis features invet scan, provide the Code analysis database path using the --code flag.
Dependency usage analysis is a fundamental feature that’s enabled by default when using a code database.
Enhanced Scanning Features
When using code analysis,vet scan provides:
- Manifest Analysis: Analyzes package manifests in the specified directory
- Usage Enrichment: Uses the Code Analysis database to enrich packages with dependency usage data
- Evidence-Based Results: Shows scan summary with usage evidences and
used-in-codetags proving actual library usage
Practical Example
Here’s a complete workflow for analyzing a Python project:1
Analyze Code
Build the code analysis database for your Python project:
2
Enhanced Scan
Run vet scan with code analysis integration:
3
Review Results
Check the scan results for:
- Dependencies actually used in code vs. declared
- Unused dependencies that could be removed
- Usage patterns and import analysis
Benefits of Code Analysis
Accurate Risk Assessment
By identifying which dependencies are actually used in your code, you can:- Prioritize security fixes for actively used packages
- Ignore vulnerabilities in unused dependencies
- Make informed decisions about dependency removal
Dependency Optimization
Code analysis helps identify:- Unused Dependencies: Packages declared but never imported
- Over-declared Dependencies: Libraries with minimal usage
- Missing Dependencies: Code imports without corresponding declarations
Supply Chain Insights
Enhanced visibility into:- How dependencies are used throughout your codebase
- Which functions/modules are imported from each package
- Dependency usage patterns and trends
Advanced Usage
Multi-language Projects
For projects with multiple languages, run analysis without the--lang flag:
Custom Database Locations
Organize analysis databases by project or environment:Integration with CI/CD
Limitations and Considerations
Experimental Status
Experimental Status
This feature is experimental and may have breaking changes. Test thoroughly before using in production environments.
Performance Impact
Performance Impact
Code analysis adds processing time to scans. Consider the trade-off between accuracy and speed for your use case.
Storage Requirements
Storage Requirements
Code analysis databases can become large for extensive codebases. Monitor disk usage and clean up old databases regularly.