Agnech
Engine 3 of 7

Dependencies Engine

Comprehensive dependency vulnerability scanning with CVE tracking, license compliance, and automated remediation across all major package ecosystems.

Overview

The Dependencies Engine scans your project's dependency tree to identify known vulnerabilities (CVEs), outdated packages, and license compliance issues. It goes beyond direct dependencies to analyze the entire transitive dependency graph.

Why Dependencies Matter

85%
of code in modern apps comes from dependencies
6x
more vulnerabilities in dependencies vs custom code
23 days
average time between CVE disclosure and exploit

Vulnerability Databases

Bloodhound aggregates vulnerability data from multiple authoritative sources for comprehensive coverage.

NVD (NIST)

Real-time
200K+
vulnerability entries

GitHub Advisory

Real-time
50K+
vulnerability entries

OSV Database

Hourly
40K+
vulnerability entries

Snyk Intel

Daily
30K+
vulnerability entries

Dependency Resolution

The engine supports all major package ecosystems with native lockfile parsing for accurate version resolution.

📦
npm
package.json
🐍
PyPI
requirements.txt
Maven
pom.xml
🦀
Cargo
Cargo.toml
🔷
Go Modules
go.mod
🔮
NuGet
*.csproj
Bash
1# Dependency scan output example
2$ bloodhound scan --mode dependencies
3

4📦 Scanning dependencies...
5

6Found 847 packages (124 direct, 723 transitive)
7

8┌─────────────────────────────────────────────────────────────┐
9│ CRITICAL: lodash@4.17.15                                    │
10│ CVE-2021-23337 - Prototype Pollution                        │
11│ CVSS: 9.8 │ Fixed in: 4.17.21                              │
12│ Path: express → body-parser → lodash                        │
13├─────────────────────────────────────────────────────────────┤
14│ HIGH: axios@0.21.0                                          │
15│ CVE-2021-3749 - SSRF via URL parsing                        │
16│ CVSS: 7.5 │ Fixed in: 0.21.2                               │
17│ Path: (direct dependency)                                   │
18├─────────────────────────────────────────────────────────────┤
19│ MEDIUM: minimist@1.2.5                                      │
20│ CVE-2021-44906 - Prototype Pollution                        │
21│ CVSS: 5.6 │ Fixed in: 1.2.6                                │
22│ Path: mocha → mkdirp → minimist                            │
23└─────────────────────────────────────────────────────────────┘
24

25Summary: 3 critical, 5 high, 12 medium, 8 low

Transitive Dependencies

Most vulnerabilities hide in transitive (indirect) dependencies. Bloodhound traces the complete dependency graph to find them.

Dependency Path Analysis

your-app
└─express@4.18.2
└─body-parser@1.20.1
└─qs@6.11.0
└─lodash@4.17.15CVE-2021-23337

Phantom Dependencies

Some vulnerabilities exist in packages you never explicitly installed. Bloodhound finds these hidden risks in your dependency tree.

License Compliance

Beyond security, the engine tracks open source licenses to ensure compliance with your organization's policies.

YAML
1# License policy configuration
2# .bloodhound/license-policy.yaml
3

4allowed:
5  - MIT
6  - Apache-2.0
7  - BSD-2-Clause
8  - BSD-3-Clause
9  - ISC
10

11restricted:  # Require approval
12  - LGPL-2.1
13  - LGPL-3.0
14  - MPL-2.0
15

16denied:  # Block completely
17  - GPL-2.0
18  - GPL-3.0
19  - AGPL-3.0
20

21exceptions:
22  - package: "some-gpl-package"
23    license: "GPL-3.0"
24    reason: "Approved by legal team on 2024-01-15"
25    approved_by: "legal@company.com"

Auto-Remediation

Bloodhound can automatically fix vulnerable dependencies by updating to patched versions while maintaining compatibility.

Bash
1# Automatic remediation
2$ bloodhound fix --mode dependencies
3

4🔧 Analyzing fixes...
5

6The following updates are available:
7

8Package          Current   Fixed     Breaking?
9─────────────────────────────────────────────
10lodash           4.17.15   4.17.21   No (patch)
11axios            0.21.0    0.21.4    No (patch)
12minimist         1.2.5     1.2.8     No (patch)
13webpack          4.46.0    5.88.0    Yes (major)
14

15Apply safe updates (patch/minor only)? [Y/n] y
16

17✓ Updated 3 packages
18✓ Resolved 8 vulnerabilities
19⚠ 1 vulnerability requires manual review (webpack)
20

21Generating pull request...
22→ PR #142: Security: Update vulnerable dependencies

CI/CD Integration

Configure auto-fix in your CI pipeline to automatically create PRs for security updates. See the CI/CD integration guide.