Skip to content

DepReach v0.1.0

Choose a tag to compare

View all tags
@akiracrying akiracrying released this 08 Mar 22:22
· 9 commits to main since this release
v0.1.0
12dccb1
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

SCA with reachability: find out if vulnerable code is actually reachable from your project.

Features

  • SBOM: CycloneDX (Python) via cyclonedx_py from requirements.txt, poetry, Pipfile, or venv
  • Vulnerabilities: lookup in VDB (appthreat-vulnerability-db) by PURL from SBOM
  • Reachability: fetch commit diffs from CVE references, extract changed functions, build project (and optional library) call graph — mark vulns as reachable or not
  • Reports: JSON, HTML (dependency graph), SARIF 2.1 with isReachable in result properties for ASPM/Code Scanning
  • Exit codes: 0 = no vulns, 1 = vulns but none reachable, 2 = at least one reachable

Changes in this release

  • Removed dead code: empty check_requirements, unused format_description link argument, unused XML BOM parsing and generate_sbom_with_cdxgen, unused extract_severity / extract_description / extract_fixed_version
  • Dropped defusedxml dependency
  • Fixed reachability column in table output (correct is_reachable key and boolean check)
  • Fixed binary-file detection in detect_type for Python 3 (is_binary_string)
  • CLI: --ignore, --cache, --sarif, --jobs supported
  • Getting ready for PyPI
Assets 2
Loading