This feature is currently in invite-only beta. Please contact Semgrep Support for more information.
- How a transitive dependency was introduced.
- How deeply the transitive dependency is nested in the dependency tree.
Supported languages
Semgrep generates dependency paths for most C#, Java, JavaScript, Kotlin, and Python projects.C#
Semgrep generates dependency paths for C# projects using NuGet.Java
Semgrep generates dependency paths for Java projects that include amaven_dep_tree.txt file whenever you invoke a scan using semgrep ci.
Semgrep can also generate dependency paths for Java projects with lockfiles and Java projects without lockfiles if they’re built using Maven or Gradle with the help of the Gradle Wrapper. paths for such projects are available when scanning without lockfiles.
JavaScript
Semgrep generates dependency paths for JavaScript projects that usenpm, yarn, or pnpm and include a lockfile whenever you invoke a scan using semgrep ci.
Kotlin
Semgrep generates dependency paths for Kotlin projects built using Maven when amaven_dep_tree.txt file is present, and for Maven or Gradle when scanning without lockfiles.
Python
Semgrep generates dependency paths for Python projects that use the following package managers:poetryandpoetry.lockfileuv(requires Semgrep version1.127.0or later)
Pipenvpiptoolspipwithrequirements.txt
View the dependency path
After you have been added to the paths and a new scan completes on a repository, view the dependency paths in Semgrep AppSec Platform on:- The Details page for a transitive finding.
- The Supply Chain > Dependencies tab when you view a transitive dependency; click Transitive to see the dependency path.