Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Dependency Analysis

The Dependency Analysis module scans dependency manifests and lockfiles across multiple ecosystems to identify known vulnerabilities. It requires network access for CVE lookups (OSV, NVD, GHSA).

Supported Ecosystems

EcosystemFiles
Python (PyPI)requirements.txt, Pipfile, pyproject.toml
Node.js (npm)package.json, package-lock.json, yarn.lock
Java (Maven/Gradle)pom.xml, build.gradle
Rust (Cargo)Cargo.toml, Cargo.lock
Gogo.mod, go.sum
PHP (Composer)composer.json, composer.lock
Ruby (Bundler)Gemfile, Gemfile.lock
.NET (NuGet)packages.config, *.csproj, *.props, *.targets

Online Requirement

Dependency analysis requires a server connection to query vulnerability sources:

  • OSV
  • NVD
  • GHSA

Running in offline mode skips dependency analysis.

Resolution Strategy

Vulnera uses a hybrid resolution approach:

  • Lockfile-first — Extracts a fully resolved dependency tree from lockfiles for accurate transitive coverage.
  • Manifest-only fallback — Best-effort resolution via registry metadata when lockfiles are absent.

Known gaps: Lockfile-independent transitive resolution is incomplete for some ecosystems (notably npm and PyPI).

Features

  • Directed dependency graph with reachability analysis
  • Concurrent vulnerability lookups with configurable limits
  • Safe version recommendations with patch/minor/major impact classification
  • CWE normalization and filtering
  • Advisory intelligence via vulnera-advisor

Detail Levels

LevelBest ForIncludes
minimalStatus badgesVulnerabilities list, basic metadata
standardInline decorations, quick fixesVulnerabilities, packages, version recommendations
fullDetailed reports, dependency treesAll data + dependency graph

Output Example

{
  "package": "lodash",
  "current_version": "4.17.15",
  "vulnerability": "CVE-2021-23337",
  "recommendations": {
    "nearest_safe": "4.17.21",
    "latest_safe": "4.17.21",
    "upgrade_impact": "patch"
  }
}

CLI Usage

Dependency analysis runs via vulnera deps (online only):

# Basic scan
vulnera deps .

# Include transitive dependencies
vulnera deps . --include-transitive

# Force rescan (ignore local cache)
vulnera deps . --force-rescan

Next Steps