Dependencies (SCA)

Software Composition Analysis for known vulnerabilities in third-party libraries.

SCA (Software Composition Analysis) is PrismSec's dependency vulnerability scanner. It identifies known security vulnerabilities (CVEs) in your third-party libraries and frameworks, recommends safe upgrade paths, and automatically generates fix PRs to update vulnerable dependencies.

Modern applications rely on hundreds of dependencies — PrismSec ensures none of them introduce exploitable security flaws.

What Dependency Scanning Detects

PrismSec scans your dependency manifests and lock files to identify:

Known CVEs — Publicly disclosed vulnerabilities in open-source libraries
Transitive dependencies — Vulnerabilities in nested dependencies (dependencies of dependencies)
Deprecated packages — Libraries that are no longer maintained
License violations — Dependencies with incompatible licenses (configurable)

Supported Package Managers

PrismSec supports the most popular package ecosystems:

| Language | Package Managers | Manifest Files | |----------|------------------|----------------| | JavaScript / TypeScript | npm, Yarn, pnpm | package.json, package-lock.json, yarn.lock, pnpm-lock.yaml | | Python | pip, Poetry, Pipenv | requirements.txt, Pipfile, Pipfile.lock, pyproject.toml, poetry.lock | | Java | Maven, Gradle | pom.xml, build.gradle, build.gradle.kts | | Go | Go modules | go.mod, go.sum | | PHP | Composer | composer.json, composer.lock |

How Dependency Scanning Works

1. Manifest Parsing

PrismSec parses your dependency manifest files to build a dependency tree:

your-app@1.0.0
├── express@4.17.1
│   ├── body-parser@1.19.0
│   ├── cookie@0.4.0
│   └── qs@6.7.0
├── lodash@4.17.15 (VULNERABLE)
└── axios@0.21.1 (VULNERABLE)
    └── follow-redirects@1.13.0 (VULNERABLE)

2. CVE Database Lookup

PrismSec queries multiple vulnerability databases:

National Vulnerability Database (NVD) — U.S. government CVE database
GitHub Advisory Database — GitHub's curated security advisories
Ecosystem-specific databases — npm advisory, PyPI security, RubySec, etc.

For each dependency, PrismSec checks if the installed version is affected by any known CVEs.

3. Reachability Analysis

Not all vulnerable dependencies are exploitable in your code. PrismSec performs reachability analysis to determine if vulnerable functions are actually called:

Example:

// You depend on lodash@4.17.15, which has a CVE in the `template()` function
const _ = require('lodash');
 
// Your code only uses _.map(), not _.template()
const result = _.map(data, (item) => item.id);

PrismSec finding:

🟡 Medium: Dependency Vulnerability (lodash@4.17.15, CVE-2020-8203)

Severity downgraded from High to Medium because the vulnerable function
(_.template()) is not reachable in your code.

Recommendation: Upgrade to lodash@4.17.21 or higher.

Reachability analysis reduces noise by focusing on vulnerabilities that are actually exploitable in your application.

4. Safe Upgrade Recommendations

PrismSec identifies the minimum safe version to upgrade to — avoiding breaking changes when possible:

Patch version bump (e.g., 4.17.15 → 4.17.21) — Preferred, usually safe
Minor version bump (e.g., 4.17.21 → 4.18.0) — May introduce new features, but backward-compatible
Major version bump (e.g., 4.17.21 → 5.0.0) — May require code changes

Example Findings

Direct Dependency Vulnerability

Vulnerable manifest:

{
  "dependencies": {
    "axios": "0.21.1"
  }
}

PrismSec finding:

🔴 Critical: Dependency Vulnerability (axios@0.21.1, CVE-2021-3749)

File: package.json
Line: 3

Description:
axios@0.21.1 is vulnerable to Server-Side Request Forgery (SSRF).
An attacker can craft requests that bypass hostname validation and access
internal services.

CVE: CVE-2021-3749
CVSS Score: 8.1 (High)
Affected Versions: < 0.21.2

Recommendation:
Upgrade to axios@0.21.2 or higher:

npm install axios@^0.21.2

Or update package.json:

"axios": "^0.21.2"

Transitive Dependency Vulnerability

Dependency tree:

your-app@1.0.0
└── express@4.17.1
    └── qs@6.5.2 (VULNERABLE)

PrismSec finding:

🟠 High: Transitive Dependency Vulnerability (qs@6.5.2, CVE-2022-24999)

File: package-lock.json
Line: 1234

Description:
The package `qs` (a dependency of `express`) is vulnerable to Prototype Pollution.
An attacker can pollute the Object prototype, potentially leading to remote code execution.

CVE: CVE-2022-24999
CVSS Score: 7.5 (High)
Affected Versions: < 6.7.3

Dependency Path:
your-app → express@4.17.1 → qs@6.5.2

Recommendation:
Upgrade express to a version that depends on qs@6.7.3 or higher:

npm install express@^4.18.0

Deprecated Package

Vulnerable manifest:

{
  "dependencies": {
    "request": "2.88.2"
  }
}

PrismSec finding:

🟡 Medium: Deprecated Package (request@2.88.2)

File: package.json
Line: 3

Description:
The `request` package has been deprecated and is no longer maintained.
It will not receive security updates.

Recommendation:
Migrate to a maintained alternative:

- `axios` (https://www.npmjs.com/package/axios)
- `node-fetch` (https://www.npmjs.com/package/node-fetch)
- `got` (https://www.npmjs.com/package/got)

Auto-Fix Support

PrismSec can automatically fix many dependency vulnerabilities by updating the version in your manifest file:

Example auto-fix:

# package.json
{
  "dependencies": {
-   "axios": "0.21.1"
+   "axios": "0.21.2"
  }
}

For transitive dependencies, PrismSec may update the parent dependency:

{
  "dependencies": {
-   "express": "4.17.1"
+   "express": "4.18.0"
  }
}

Auto-fix PRs include a changelog and test instructions to help you validate the upgrade.

Configuring Dependency Scanning

Customize dependency scanning in prismsec.yml:

dependencies:
  # Enable reachability analysis
  reachability_analysis: true
  
  # Minimum CVSS score to report (0.0 - 10.0)
  min_cvss_score: 5.0
  
  # Allowed licenses (all others flagged)
  allowed_licenses:
    - MIT
    - Apache-2.0
    - BSD-3-Clause
    - ISC
  
  # Ignore specific CVEs (use sparingly)
  ignore_cves:
    - CVE-2021-12345  # Requires justification

CVSS Severity Mapping

PrismSec maps CVSS scores to severity levels:

| CVSS Score | Severity | Description | |------------|----------|-------------| | 9.0 – 10.0 | Critical | Remote code execution, complete system compromise | | 7.0 – 8.9 | High | Data exfiltration, privilege escalation, authentication bypass | | 4.0 – 6.9 | Medium | Information disclosure, denial of service | | 0.1 – 3.9 | Low | Limited impact, requires specific conditions |

Best Practices

Keep Dependencies Up to Date

Regularly update dependencies to patch vulnerabilities:

# npm
npm update
 
# Python
pip install --upgrade -r requirements.txt
 
# Go
go get -u all

Pin Versions in Lock Files

Use lock files (package-lock.json, poetry.lock, etc.) to ensure consistent dependency versions across environments.

Review Upgrade Impact

Before merging auto-fix PRs:

Review the changelog — Check for breaking changes
Run tests — Ensure the upgrade doesn't break functionality
Check CVSS details — Understand the vulnerability's impact

Use Reachability Analysis

Enable reachability analysis to reduce noise:

dependencies:
  reachability_analysis: true

This focuses on vulnerabilities that are actually exploitable in your code.

Audit Licenses

Ensure dependencies comply with your project's license policy:

dependencies:
  allowed_licenses:
    - MIT
    - Apache-2.0
    - BSD-3-Clause

Limitations

Zero-day vulnerabilities — PrismSec cannot detect undisclosed vulnerabilities
Custom/private packages — PrismSec scans public package registries; private packages are not analyzed
Build-time dependencies — Some vulnerabilities only affect build tools (not runtime code)

Next Steps

Learn about IaC security: IaC & Misconfiguration
Understand SAST: SAST
Configure scan behavior: Configuring Scans