it-depends icon indicating copy to clipboard operation
it-depends copied to clipboard

Published 20 hours ago verified publisher icon trailofbits

Metadata

A tool to automatically build a dependency graph and Software Bill of Materials (SBOM) for packages and arbitrary source code repositories.

Results 31 it-depends issues
Sort by recently updated
recently updated
newest added

Adds the ability to compare Go versions

1 comment

Fixes #72 and subsumes #73.

ESultanik avatar ESultanik

bug

Exception triggers when generating HTML output (for Go projects)

Using the `--output-format html` (with or without -o out.html) results in the following exception and creation of an empty report file. I have encountered this only while auditing a Go...

Hamid-K avatar Hamid-K

bug

Emphasize that a Docker(-compatible) socket is required for container inputs

2 comment

This is a small documentation/UX thing: users running Podman-in-Podman or Docker-in-Docker will probably encounter failures, since `it-depends` talks directly to the Docker (or Docker-compatible) socket. We should document this as...

woodruffw avatar woodruffw

Errors with and without npm when auditing `npm:astro`

1 comment

Reported by @ran-dall on the OpenSSF Slack: ```console # it-depends npm:astro Traceback (most recent call last): File "/usr/local/bin/it-depends", line 33, in sys.exit(load_entry_point('it-depends', 'console_scripts', 'it-depends')()) File "/it-depends/it_depends/cli.py", line 244, in main...

woodruffw avatar woodruffw

bug

Rust support breaks for non-crates.io dependency

1 comment

Hi, this is very cool. I was looking to run it on one of my rust projects after reading the It-depends blog post however it seems to crash if it...

Pat-Lafon avatar Pat-Lafon

Version string lacks a numerical component

2 comment

I tried running it-depends on a few different nodejs packages and it didn't work on any of them. On a few it gave this error. Here's the output for two...

timjrobinson avatar timjrobinson

No dependencies for a CMake project

> ### metadata > > Installed via `pip3 install it-depends` on a Manjaro system > > ``` > $ it-depends --version > it-depends version 0.1.1 > ``` ### Issue I...

ja-he avatar ja-he

NPM dependency resolution is not accurate

the NPM dependency resolution only uses package.json, while in reality package-lock.json is actually used (if available of course) to create and resolve dependency issues. Ignoring the changes made to `peerDependencies`...

sambacha avatar sambacha

Document the platforms supported

6 comment

If I recall, C/C++ dependency enumeration is only supported on Linux. Might want to indicate this on the README.

mike-myers-tob avatar mike-myers-tob

documentation

Map packages against Google OSV

2 comment

- [ ] Extend the it-depends API to associate vulnerabilities with packages - [ ] Use [Google OSV](https://osv.dev/) as a data source to automatically assign vulnerabilities to packages - [...

ESultanik avatar ESultanik

enhancement

Metadata

319
Stars
20
Forks
Watchers

Owner

verified publisher icon trailofbits

Metadata

A tool to automatically build a dependency graph and Software Bill of Materials (SBOM) for packages and arbitrary source code repositories.

Back