Go back
Exploit Intelligence 101

Understanding Software Dependency Graphs

avatar
Tom Bain@tmbainjr1
101

Understanding Software Dependency Graphs

This knowledge base article will support a fundamental understanding of:

  • The definition and key features of a software dependency graph
  • Uses for software dependency graphs
  • Why developers struggle with generating accurate software dependency graphs
  • Best practices for building accurate dependency graphs

What is a Software Dependency Graph?

A software dependency graph visualizes the complex web of a software system’s components, including modules, libraries, and frameworks. By representing these as nodes, the dependency graph shows connections between them so software developers can see and understand interactions between these different elements.

Typically, dependency graphs use one of the following visual representation formats:

  • Dependency matrix: Grid-like representation displaying nodes across rows and columns to help identify circular dependencies where a node depends on itself.
  • Adjacency list: List format with directed connections between entities identified under each node to detail dependencies across software packages or modules and understand component interlinking.
  • Linked nodes: Visualization of linked nodes that connects them using directed edges for insight for insight into an application’s architecture and potential conflicts, reducing the number of circular relationships

Why is it Important to Understand Software Dependencies?

Dependencies can introduce potential issues or even cause system failures if not managed properly. When developers add new dependencies, conflicts with existing components might arise, leading to compatibility issues. Effectively managing dependencies also helps reduce vulnerabilities that attackers can use to compromise systems and networks. Key aspects include:

Transparency Across Third-party Components and Libraries

Dependency graphs reveal the structure of the different components that developers incorporate into the software. As software becomes more complex, the dependency graphs enable developers to gain a clear view of all components involved, including open-source components.

Cross-file Analysis

A single application may incorporate code written in multiple programming languages. Cross-file analysis provides a unified view of dependencies for insight into interconnectedness across multiple files. This process tracks, documents, and accounts for all dependencies, regardless of varying file paths or appearances. By reducing blind spots in dependency tracking, developers can improve the software’s security posture.

Visibility into Potential Vulnerabilities

By providing visibility across different ecosystems and package relationships, dependency graphs enable developers to identify potential vulnerabilities. The graphs outline direct and transitive dependencies which AppSec teams can use to pinpoint and mitigate vulnerabilities without relying on lockfiles. By mapping indirect dependencies, AppSec teams reduce the human error risks from manual processes to make informed, data-driven security decisions.

Path Analysis

Path analysis uses algorithms to map connections between components so developers can identify the chain of dependencies between two points. Developers can identify the shortest or most critical paths between two nodes which helps with debugging and performance tracing.

Impact Analysis

While path analysis tells developers how components are connected, impact analysis tells them how a change will affect the downstream dependencies. WIth an impact analysis, developers can determine the ripple effect or blast radius that refactoring or change management can have across the software.

Why do Developers Struggle to Build Accurate Software Dependency Graphs?

Developers often find it challenging to construct accurate software dependency graphs due to the complex nature of modern software projects. As projects grow, they involve more methods, libraries, frameworks, and components. Tasks like documenting dependencies can become tedious and overwhelming, especially without automating the process. Key contributing factors include:

Free and Open Source Software (FOSS)

Developers increasingly incorporate FOSS components into their software. As the number of components increases, software dependency graphs grow in size and complexity. While developers may know the direct dependencies within their source code, they often lose sight of the downstream, or transitive, dependencies that FOSS introduces.

Shadow Code

Shadow code is untracked or unofficial dependencies in a codebase that are not part of the official dependency list. Since they are not declared in package manifests, developers have a hard time tracking and auditing them. Since they lack documentation, they can introduce security risks or licensing issues.

Decentralized Teams

In a remote working world, developers can collaborate from anywhere. Decentralized development teams can make building an accurate dependency graph challenging because people managing their own modules in different tools or with different processes can lead to inconsistent or missing data that leaves a graph incomplete.

Technology Limitations

Depending on the team’s tooling, the technologies may have limitations that impact a dependency graph’s accuracy. Manifest files and lockfiles may not include all dependencies, especially if files from other sources are directly checked into a repository. Additionally, vulnerability data can be incomplete or not timely, impacting the accuracy of the dependency graph.

Best practices for building accurate dependency graphs

A reliable software dependency graph acts as a guide, showing each part of the code and how the parts rely on each other. With these insights, organizations can improve their application security by understanding how an attacker or a vulnerability can impact the software for improved remediation prioritization.

Use a Software Composition Analysis (SCA) Tool

SCA tools display how the different parts of software relate to each other and work together. They enable developers to automate many processes related to creating dependency graphs.

Generate a Software Bill of Materials (SBOM)

An SBOM lists all components and dependencies within a project, including direct and transitive dependencies. They use structured, hierarchical formats, like CycloneDX, to provide a complete map dependencies, including metadata that highlights the paths through which these dependencies are connected.

Edit Layers and Dependencies

Reviewing and editing the dependency graph ensures that it adequately describes the components and how they interact. Some edits may include:

  • Removing unnecessary dependencies that may have been mistakenly added
  • Changing or restricting a dependency's direction to clarify how different software components interact with one another
  • Refining how each artifact relates to the various layers within the system can promote a better-organized project structure.

Validate Code Against Graph

Validating code against the dependency graph involves checking for any conflicts between what the code currently contains and what the diagram represents. The process helps:

  • Identify components that may be impacted by recent changes
  • Providing insights into code that requires further examination or modification
  • Ensuring a smooth transition when moving elements to different architectures

Prioritizing remediation with VulnCheck

VulnCheck’s Exploit & Vulnerability Intelligence enables developers to prioritize remediation efforts by focusing on the vulnerabilities that attackers are actively exploiting. Our complete exploitation timelines covers the vulnerability’s initial disclosure, evidence of first discovered exploit, and when remediation was provided.