Skip to main content

View and search for dependencies

Prerequisite

At least one project (repository) that scans for dependencies through Semgrep Supply Chain. See Scan third-party dependencies.

Semgrep Supply Chain's dependency search feature allows you to view and query for any dependency in your project at any time. This feature detects all transitive and direct dependencies across all of your projects in Semgrep AppSec Platform. Dependency search lists all the versions of a dependency, as well as the projects that use the dependency.

For newly discovered vulnerabilities, which may not yet have a formal CVE or Supply Chain rule, you can use dependency search to see if you use the vulnerable dependency across all your repositories. You can also use dependency search to see all the versions of a dependency, which can be useful for standardization purposes.

Screenshot of default dependency search page Figure. Default dependency search page.

To search your dependencies:

  1. Sign in to Semgrep AppSec Platform.
  2. Go to Settings > Deployment and navigate to the Supply Chain (SCA) section. Semgrep Supply Chain Settings tab Figure. The Semgrep Supply Chain Settings tab.
  3. Click Dependency search if it's not already enabled.
  4. Navigate to Supply Chain > Dependencies. Semgrep Supply Chain Dependencies tab Figure. The Semgrep Supply Chain Dependencies tab.

At this point, Semgrep displays the lockfiles or manifests that it has used to determine dependency information and the dependencies included in each of the lockfiles or manifests.

View additional lockfiles

By default, Semgrep only displays dependencies listed in a given project's first 10 lockfiles. To load information from additional lockfiles:

  1. Sign in to Semgrep AppSec Platform.
  2. Navigate to Supply Chain > Dependencies, and scroll to the bottom of the page.
  3. Click Fetch more lockfiles.

Search for dependencies

To search for dependencies:

  1. Sign in to Semgrep AppSec Platform.
  2. Navigate to Supply Chain > Dependencies.
  3. Using the Dependency search bar, type the name of the dependency you are searching for.
  4. Optional: Apply filters as necessary for your search.
tip

Search for ranges of supported versions with the > or < operators following the @ operator. For example, body-parser@<1.18.0 finds all versions of body-parser greater than 1.18.0.

Search filters

Dependency search provides the following filters, which correspond to the data points displayed by Semgrep about each dependency:

FilterDescription
DependencyThe name and version of the dependency.
ProjectsThe projects where the dependency can be found.
TransitivityThe relationship of the dependency to your codebase.
License PolicyThe License Policy you set. Determines whether a dependency can be used based on its license.
LicenseThe dependency's license type.
EcosystemThe language of the dependency.

Screenshot of dependency search with query Figure. Dependency search page with sample search query.

Dependency paths (beta)

info

To participate in this beta, reach out to support@semgrep.com.

Dependency paths allow you to view dependency paths for all transitive dependencies, up to seven layers deep, introduced in a project. With this information, you can understand:

  • How a transitive dependency was introduced
  • How deep the transitive dependency is nested in the dependency tree. The dependency tree reflects your project that Semgrep generates

Supported languages

Semgrep generates dependency paths for Java projects that include a maven_dep_tree.txt file whenever you invoke a scan using semgrep ci.

Semgrep can also generate dependency paths for Java projects with lockfiles and Java projects without lockfiles if they're built using Maven or Gradle with the help of the Gradle Wrapper. Dependency paths for such projects are available once you've updated your Semgrep deployment to use the --allow-local-builds flag when initiating the scan from an environment with all of the project's required dependencies, such as Java and Maven, installed:

semgrep ci --allow-local-builds

View the dependency graph

Once the scan completes, view the dependency graph in Semgrep AppSec Platform on:

  • The Finding Details page for a transitive finding
  • The Supply Chain > Dependencies tab when you view a transitive dependency; click Transitive to launch the dependency graph

Supply Chain dependency graph Figure. Supply Chain findings with a dependency graph shown.

Troubleshooting: no dependencies appear on the Dependencies page

If you don't see any results on the Dependencies page, ensure that:

  • Semgrep Supply Chain can parse your lockfile. Refer to Supported languages for a list of supported languages and lockfiles.
  • You've scanned the repository at least once. If you're having trouble seeing dependencies after a scan, see Why aren't Supply Chain findings showing? for additional troubleshooting tips.
  • Your filters and search syntax are correct.
  • The scan you're searching isn't a diff-aware scan. Only dependencies detected during full scans are shown on the Dependencies page.

Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.