Detect Vulnerable Dependencies
Modern applications rely on hundreds of third-party packages. Each package brings its own dependency tree, creating a web where a single vulnerable package can affect your entire application. Radar's SCA engine maps the complete dependency graph to identify vulnerable packages at every level.
Direct vs Transitive Dependencies
| Type | Description | Remediation |
|---|---|---|
| Direct | Packages you explicitly declare in your manifest file (package.json, pom.xml, requirements.txt). You control the version directly | Change the version in your manifest and regenerate the lock file |
| Transitive | Packages pulled in by your direct dependencies. Typically outnumber direct deps by 5-10x (a project with 30 direct deps commonly has 300+ transitive deps) | Upgrade the parent dependency, use resolution overrides, or replace the parent. See Triage and Remediation |
Equal Risk
A vulnerability in a deeply nested transitive dependency is just as dangerous as one in a direct dependency. If the vulnerable code is executed at runtime, the depth in the dependency tree is irrelevant. Attackers do not care whether the package is at level 1 or level 5.
How Radar Scans Dependencies
Parse manifests. Radar reads your package manifest files (
package.json,pom.xml,requirements.txt,.csproj,composer.json,go.mod,Gemfile) to identify declared dependencies and version constraints.Analyze lock files. Lock files (
package-lock.json,yarn.lock,Pipfile.lock,composer.lock,Gemfile.lock,go.sum) contain the complete resolved tree with exact versions, including all transitive dependencies.Resolve versions. Radar determines the exact installed version for each dependency, not just the declared range. A constraint like
^2.0.0could resolve to 2.3.7. The lock file provides the specific version that matters for vulnerability matching.Cross-reference databases. Each package and version is checked against the NVD, GitHub Advisory Database, and ByteHide's vulnerability intelligence. If the installed version falls within an affected range for any known CVE, Radar generates a finding.
Lock File Accuracy
Lock files provide the most accurate results. Without a lock file, Radar resolves from declared ranges, which may not match your installed packages. Always commit lock files to version control.
Dependency Path
For each SCA finding, Radar shows the full dependency path:
your-project > express@4.18.2 > body-parser@1.20.1 > qs@6.11.0your-project > express@4.18.2 > body-parser@1.20.1 > qs@6.11.0This tells you that qs enters your project through express > body-parser. Upgrading Express or body-parser may resolve the issue without manipulating the transitive dependency directly.
Typical dependency tree depths by ecosystem:
| Ecosystem | Typical Depth | Notes |
|---|---|---|
| npm | 10+ levels | Large number of small, focused packages |
| Maven | 3-5 levels | Fewer, larger libraries |
| pip | 2-4 levels | Frameworks like Django bring extensive trees |
| Go | 2-3 levels | Minimal dependency philosophy |
Continuous Monitoring
Your project's security posture changes even when your code does not. New CVEs are published for existing package versions daily.
| Scan Type | When It Runs | What It Catches |
|---|---|---|
| Automatic on push | Every push to default branch and every pull request | Vulnerabilities introduced by dependency changes (new packages, version updates) |
| Manual scan | Triggered via "Scan Project" button in Radar dashboard | Newly published CVEs in dependencies that have not changed since last push |
Malicious Packages
Beyond CVEs in legitimate packages, the open-source ecosystem faces deliberate supply chain attacks.
| Attack Type | Description |
|---|---|
| Typosquatting | Packages with names similar to popular packages (e.g., lodahs instead of lodash). Contain data exfiltration or backdoor code |
| Dependency confusion | Attacker publishes a public package with the same name as your internal package. Some package managers install the public version if its version number is higher |
| Compromised maintainers | Attacker gains access to a legitimate maintainer's credentials and publishes a malicious version. Especially dangerous because the package name is already trusted |
Radar's vulnerability database includes known malicious packages flagged by security researchers and registry security teams. Malicious packages are reported as Critical severity findings.
Next Steps
Supported Ecosystems
Package ecosystems and manifest formats analyzed by SCA.
CVE Reference
CVE identifiers, CVSS scoring, and vulnerability databases.
SCA Triage and Remediation
Prioritize, triage, and remediate SCA findings with upgrade strategies and AutoFix.