Depex

Description

Depex builds complete dependency graphs from package manifest files (package.json, requirements.txt, pom.xml, etc.) and enriches them with vulnerability data using Neo4j.

Purpose

Depex is a tool for building complete dependency graphs from package manifests and analyzing them for security risks.

It helps organizations and developers:

• Identify direct and transitive dependencies across multiple ecosystems (npm, pip, Maven, Cargo, etc.)
• Enrich dependency data with known vulnerabilities
• Visualize and explore relationships using a Neo4j graph database
• Audit software components for supply chain security
• Support impact analysis and decision-making during vulnerability response

Video tutorial

Prerequisites

• Docker
• Git LFS
• GitHub API Key

Deployment requirements

1. Docker to deploy the tool.

2. Git Large Files Storage (git-lfs) for cloning correctly the seeds of the repository.

Deployment with docker

Step 1

Create a .env from template.env file.

Get API Keys

• How to get a GitHub API key.

• Modify the Json Web Token (JWT) secret key with your own. You can generate your own with the command node -e “console.log(require(‘crypto’).randomBytes(32).toString(‘hex’))”.

Step 2

Create the graphs folder inside the seeds folder in the root of the project, download the graphs seed from this link, and insert it into the graphs folder.

Step 3

Run command docker compose up –build.

Step 4

Enter here for the frontend Web API.

Other tools

1. It is recommended to use a GUI such as MongoDB Compass to see what information is being indexed in vulnerability database.

2. You can see the graph built here, using the Neo4J browser interface.