v0.1.7

Full Changelog: v0.1.6...v0.1.7

v0.1.6

Full Changelog: v0.1.5...v0.1.6

v0.1.5

Full Changelog: v0.1.4...v0.1.5

v0.1.2

Full Changelog: v0.1.1...v0.1.2

DepReach v0.1.0

SCA with reachability: find out if vulnerable code is actually reachable from your project.

Features

• SBOM: CycloneDX (Python) via cyclonedx_py from requirements.txt, poetry, Pipfile, or venv
• Vulnerabilities: lookup in VDB (appthreat-vulnerability-db) by PURL from SBOM
• Reachability: fetch commit diffs from CVE references, extract changed functions, build project (and optional library) call graph — mark vulns as reachable or not
• Reports: JSON, HTML (dependency graph), SARIF 2.1 with isReachable in result properties for ASPM/Code Scanning
• Exit codes: 0 = no vulns, 1 = vulns but none reachable, 2 = at least one reachable

Changes in this release

• Removed dead code: empty check_requirements, unused format_description link argument, unused XML BOM parsing and generate_sbom_with_cdxgen, unused extract_severity / extract_description / extract_fixed_version
• Dropped defusedxml dependency
• Fixed reachability column in table output (correct is_reachable key and boolean check)
• Fixed binary-file detection in detect_type for Python 3 (is_binary_string)
• CLI: --ignore, --cache, --sarif, --jobs supported
• Getting ready for PyPI