Search through your dependencies
Semgrep Supply Chain's dependency search feature allows you to query for any dependency in your codebase at any time. This feature detects all transitive and direct dependencies across all of your repositories in Semgrep AppSec Platform. Dependency search lists all the versions of a dependency as well as the repositories that use the dependency.
For newly discovered vulnerabilities, which may not yet have a formal CVE or Supply Chain rule, you can use dependency search to discover if you use the vulnerable dependency across all your repositories. You can also use dependency search to see all the versions of a dependency, which can be useful for standardization purposes.
Figure. Default dependency search page.
Using dependency search
- You can only use dependency search through Semgrep AppSec Platform. Sign up or sign in to Semgrep AppSec Platform.
- You need at least one completed Semgrep Supply Chain scan of all the repositories you want to search through.
To search through your dependencies:
- Sign in to Semgrep AppSec Platform.
- Go to Settings > Deployment and navigate to the Supply Chain (SCA) section. Figure. The Semgrep Supply Chain Settings tab.
- Click Dependency search if it is not already enabled.
- Navigate to Supply Chain > Dependencies. Figure. The Semgrep Supply Chain Dependencies tab.
- Type the name of the dependency you are searching for.
- Optional: Apply filters as necessary for your search.
Search for ranges of supported versions with the >
or <
operators following the @ operator. For example, body-parser@<1.18.0
finds all versions of body-parser greater than 1.18.0
.
Dependency search provides the following filters, which correspond to the data points displayed by Semgrep about each dependency:
- Projects
- Transitivity
- The relationship of the dependency to your codebase. The relationship can be direct, indirect, or unknown.
- License Policy
- The License Policy you set; determines whether a dependency can be used based on its license.
- License
- The dependency's license
- Ecosystem
- The language of the dependency
Figure. Dependency search page with sample search query.
Troubleshooting
This section describes possible issues and how to resolve them.
No dependencies appear in the Dependencies page
To ensure that your dependencies appear, check the following:
- Ensure that Semgrep Supply Chain can parse your lockfile. Refer to Supported languages for a list of supported languages and lockfiles.
- Make sure you've scanned the repository at least once.
- If you are using filters, ensure that your filters and search syntax is correct.
- Ensure that the scan you're referring to isn't a diff-aware scan. Only dependencies scanned off of full scans are shown on the Dependencies page.
Not finding what you need in this doc? Ask questions in our Community Slack group, or see Support for other ways to get help.