Less effort, more insight: introducing Dependency Graph for Supply Chain

Modern software development thrives on open source dependencies, but those dependencies often introduce hidden risks. Vulnerabilities buried in transitive dependencies pose significant challenges and roadblocks for AppSec teams, due to the convoluted web formed by these dependencies. This makes it especially difficult to effectively prioritize and remediate transitive vulnerabilities. Scans also often require custom configuration to run or lockfiles to generate and scan the web of dependencies.

With the introduction of Dependency Graph, we're empowering AppSec engineers to more easily scan, understand, and secure their software supply chain. This foundational technology enables:

1. Reduction (and in some cases, elimination!) of effort to scan dependencies

2. Visualization of dependency paths to help prioritize and remediate transitive dependencies

Our new Dependency Graph reduces the efforts required to scan and map your direct and transitive dependencies into a clear view across your codebase. Through an updated workflow that minimizes reliance on lockfile scans and a new visualization we call Dependency Path, Semgrep provides visibility and a streamlined track to securing your software stack.

Understanding dependency graphs

All software projects depend on external libraries, which in turn may depend on other packages, and so on. Dependencies can be:

Direct dependencies: packages your project explicitly uses

Transitive dependencies: the direct dependencies’ dependencies; relationships inherited through direct dependencies, potentially several layers deep

The map of all these dependencies and the relationship between them is the dependency graph.

How lockfiles work

Semgrep uses lockfiles – a compiled dependency manifest that specifies the exact version of every dependency installed – to understand a project’s dependencies by default. Lockfiles are very helpful for understanding dependency relationships because they encode information about the dependency graph, the exact versions of dependencies, and transitive relationships. Previously, Semgrep could not infer a project’s dependencies without a lockfile. Now, Semgrep can understand dependency graphs when lockfiles are unavailable or insufficient.

Flexibility with, or without, lockfiles

Lockfiles are the best investment you can make for supply chain security. They ensure consistent dependency resolution across environments, but their adoption isn’t universal. While many developer teams embrace them, other teams may avoid them for various reasons: lockfiles may introduce friction in development workflows, they may be uncommon in the programming language/ecosystem that the team uses, or they may result in more frequent merge conflicts which slow down development.

This inconsistency creates a significant challenge for AppSec teams that need to understand the risks introduced by third party dependencies. With the power of our Dependency Graph, Semgrep now adapts to a wider range of real-world scenarios by:

• Leveraging lockfiles when available to infer dependencies with precision

• Constructing dependency graphs when lockfiles are nonstandard or unavailable (e.g. for projects that use Maven or Gradle) 

This flexibility significantly reduces the work required to identify vulnerabilities in third-party code, regardless of whether lockfiles are used.

Dependency Path: connect the dots to reduce risk

Dependency relationships form complex webs that are difficult to navigate, which can lead to obscured vulnerabilities buried deep within a project. Prioritization and remediation of transitive vulnerabilities has historically been tedious and labor intensive. Without the right tools, AppSec engineers are left to a cumbersome manual process digging in registries to determine where transitive dependencies exist in their codebase along with where and how they are imported.

Semgrep now solves this challenge with the Dependency Path feature. To understand how a dependency has been introduced into your project, simply look at a transitive dependency’s path. Easily see which direct dependencies you need to upgrade or replace in order to remediate the vulnerability and secure your code.

This visualization helps automate a critical part of the triage process for transitive vulnerabilities, saves precious time and effort, and enables AppSec teams to focus on higher their ultimate goals: reduction of risk and installing secure guardrails.

Tackling transitive vulnerabilities in practice

What does this update look like in the real world? In short, the reduced effort required to scan has an immediate impact for an AppSec team. They no longer need to implement workarounds when lockfiles are not an option. Furthermore, your project’s dependencies are now much easier to visualize and understand. This enables AppSec teams to prioritize and remediate their transitive dependencies more quickly and effectively than before.

Think through an example: imagine your SCA tool has flagged multiple critical vulnerabilities in the transitive dependency of spring-aop 6.1.11. The AppSec team knows they should remediate this, but they do not know how many layers deep it falls, nor which direct dependencies require an upgrade to remediate the vulnerabilities. In the best case, the vulnerable package is not too deep in the dependency tree. In the worst case, it lives several layers deep and can be used by several other dependencies! A transitive vulnerability this deep requires a very high level of commitment to unravel, not to mention its relatively lower priority when compared to more straightforward vulnerabilities.

Enter Semgrep’s Dependency Path. By visualizing the path of a critical vulnerability through the graph—traced back three layers to a rarely updated library—developers now know exactly which direct dependencies are responsible for introduction of the vulnerable, transitive ones. This map helps prioritize which vulnerabilities to remediate by surfacing how many paths and layers exist.

Zooming out, Semgrep’s Dependency Graph gives AppSec engineers the clarity they need to take decisive action. With this feature in their hands, AppSec teams now have:

• Comprehensive visibility: See and understand your software supply chain: all dependencies, direct and transitive, and vulnerabilities in one instance

• Reduced noise: Automate triage to focus on remediation and secure guardrails

• Empower developers: Adapt to developer workflows and reduce friction of onboarding repos. 

What’s next: less effort, more visibility

A mountain of dependencies comprises modern software — and is at the root of many vulnerabilities. With our Dependency Path, our changes to lockfile scans, and the underlying Dependency Graph, you can reveal your software’s risk profile, reduce the effort needed to find and prioritize vulnerabilities, and protect against threats buried deep in your stack.

As of today, Dependency Graph is live and in public beta! Reach out to your Semgrep contact to test the Dependency Graph on your Semgrep Supply Chain instance. And stay tuned as we continue to expand our breadth of coverage, with support for C# coming soon.

You cannot secure what you cannot see. Start mapping your software territory today with Semgrep Supply Chain.