Security News
Introducing the Socket Python SDK
The initial version of the Socket Python SDK is now on PyPI, enabling developers to more easily interact with the Socket REST API in Python projects.
It-Depends is a tool to automatically build a dependency graph and Software Bill of Materials (SBOM) for packages and arbitrary source code repositories. You can use it to enumerate all third party dependencies for a software package, map those dependencies to known security vulnerabilities, as well as compare the similarity between two packages based on their dependencies.
To the best of our knowledge, It-Depends is the only such tool with the following features:
pytz
depends on the native library libtinfo.so.6
)pip:it-depends
--audit
feature may discover vulnerabilities in upstream dependencies that are either not exploitable in the
target package or are in a package version that cannot exist in any valid dependency resolution of the target
package--clear-cache
$ pip3 install it-depends
Run it-depends
in the root of the source repository you would like to analyze:
$ cd /path/to/project
$ it-depends
or alternatively point it to the path directly:
$ it-depends /path/to/project
or alternatively specify a package from a public package repository:
$ it-depends pip:numpy
$ it-depends apt:libc6@2.31
$ it-depends npm:lodash@>=4.17.0
It-Depends will output the full dependency hierarchy in JSON format. Additional output formats such
as Graphviz/Dot are available via the --output-format
option.
It-Depends can automatically try to match packages against the OSV vulnerability database with the
--audit
option. This is a best-effort matching as it is based on package names, which might not always consistent.
Any discovered vulnerabilities are added to the JSON output.
It-Depends attempts to parallelize as much of its effort as possible. To limit the maximum number of parallel tasks, use
the --max-workers
option.
By default, It-Depends recursively resolves all packages' dependencies to construct a complete dependency graph. The
depth of the recursion can be limited using the --depth-limit
option. For example,
$ it-depends pip:graphtage --depth-limit 1
will only enumerate the direct dependencies of Graphtage.
Here is an example of running It-Depends on its own source repository:
This is the resulting json with all the discovered dependencies. This is the resulting Graphviz dot file producing this
This is the resulting dependency graph:
JavaScript requires npm
Rust requires cargo
Python requires pip
C/C++ requires autotools
and/or cmake
Several native dependencies are resolved using Ubuntu’s file to path database apt-file
, but this is seamlessly
handled through an Ubuntu docker
container on other distributions and operating systems
Currently docker
is used to resolve native dependencies
$ git clone https://github.com/trailofbits/it-depends
$ cd it-depends
$ python3 -m venv venv # Optional virtualenv
$ ./venv/bin/activate # Optional virtualenv
$ pip3 install -e '.[dev]'
$ git config core.hooksPath ./hooks # Optionally enable git commit hooks for linting
This research was developed by Trail of Bits based upon work supported by DARPA under Contract No. HR001120C0084 (Distribution Statement A, Approved for Public Release: Distribution Unlimited). Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the United States Government or DARPA.
Felipe Manzano and Evan Sultanik are the active maintainers, but Alessandro Gario, Eric Kilmer, Alexander Remie, and Henrik Brodin all made significant contributions to the tool’s inception and development.
It-Depends is licensed under the GNU Lesser General Public License v3.0. Contact us if you’re looking for an exception to the terms.
© 2021, Trail of Bits.
FAQs
A software dependency analyzer
We found that it-depends demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
The initial version of the Socket Python SDK is now on PyPI, enabling developers to more easily interact with the Socket REST API in Python projects.
Security News
Floating dependency ranges in npm can introduce instability and security risks into your project by allowing unverified or incompatible versions to be installed automatically, leading to unpredictable behavior and potential conflicts.
Security News
A new Rust RFC proposes "Trusted Publishing" for Crates.io, introducing short-lived access tokens via OIDC to improve security and reduce risks associated with long-lived API tokens.