Skip to content

feat: implement dependency path tracing command#17

Merged
PrasanthYT merged 1 commit intomainfrom
feature/dependency-path-tracing
Mar 3, 2026
Merged

feat: implement dependency path tracing command#17
PrasanthYT merged 1 commit intomainfrom
feature/dependency-path-tracing

Conversation

@PrasanthYT
Copy link
Contributor

@PrasanthYT PrasanthYT commented Mar 3, 2026

Overview

This PR introduces dependency path tracing to Scanr.

It enables users to determine which dependency chain introduced a vulnerable package, significantly improving investigation depth and remediation clarity.

This milestone transitions Scanr into a security intelligence tool.

New CLI Command

scanr trace <package>

Example:

scanr trace minimatch

Future-ready for version-specific tracing:

scanr trace minimatch@10.2.2

Example Output

Dependency Path Trace: minimatch@10.2.2

root
 └─ rollup@4.57.1
     └─ minimatch@10.2.2

Severity: HIGH
CVE: CVE-2026-27903

Multiple paths supported:

Found 2 paths:

Path 1:
root
 └─ rollup
     └─ minimatch

Path 2:
root
 └─ hono
     └─ minimatch

Technical Implementation

Dependency Graph Upgrade

Introduced adjacency-based graph structure:

struct DependencyNode {
    name: String,
    version: String,
    dependencies: Vec<String>,
}

Stored in:

HashMap<String, DependencyNode>

Key format:

name@version

Graph built during dependency parsing.

Path Tracing Algorithm

  • DFS traversal
  • Per-path visited tracking
  • Depth limit enforced
  • Max path count enforced
  • No infinite loop risk

Path tracing runs only when trace command is invoked.

Normal scan performance unaffected.

Edge Case Handling

  • Direct dependency case
  • Deep transitive case
  • Multiple parent case
  • Package not found case
  • Safe recursion limits

Validation

  • Graph construction validated against lockfile structure
  • Multiple path scenarios tested
  • No performance regression in normal scan
  • cargo build --workspace --release passes
  • No panics during trace execution

Impact

  • Improves remediation clarity
  • Enhances developer experience
  • Adds investigation depth
  • Moves Scanr toward security intelligence tooling
  • No regression in scanning pipeline

Why This Matters

Before:

“minimatch is vulnerable.”

After:

“minimatch was introduced via rollup, which is a direct dependency. Upgrade rollup or override minimatch.”

This dramatically increases the sophistication and practical value of Scanr.

@PrasanthYT PrasanthYT merged commit 173be20 into main Mar 3, 2026
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@PrasanthYT