TABLE OF CONTENTS

Overview

Dependencies in the code repositories are the packages and images used when building the application code. These dependencies are offered by providers such as npm, Maven, and GO. Using these packages may optionally need a license type offered by the providers such as MIT, ISC, and BSD-3-Clause. 


After you integrate a source code management tool or a CI build system with Aqua, you can add code repositories hosted on them. When code repositories are added to Aqua, all the packages used for building the application code in these code repositories are discovered. Navigate to the Dependencies page to see all the packages discovered in the code repositories. Aqua performs a detailed analysis of the packages and displays details of each package.


This topic explains details of the packages discovered in the code repositories. On clicking any package, a detailed view is displayed which shows details of the package and a list of all the code repositories in which the package is used.


Dependencies list view

The Dependencies page shows the following details of each package used by one or multiple code repositories added to Aqua. This page also shows the results of the analysis on the packages. After studying the details of all the packages, you may decide to continue using the same package for your application code or try using another version of the same package or a different package.

  • Package name
  • Package provider name such as npm, Maven, and GO
  • Package version
  • Number of downloads of the package from the provider: This value represents the popularity of the package among other developers in the market. 
  • License type used for the package such as MIT, ISC, and BSD-3-Clause
  • The number of code repositories added to Aqua in which the specific package is used
  • Published date of the package: This represents how old the package version is. Old version of the package may not be well maintained, or the latest version may have some security issues and bugs. After verifying these details, you may decide on using the appropriate version of the same package for your requirement.



Security issues in the packages

Aqua performs a few checks on the packages and shows the results of the analysis. Three parameters are shown for each package with a health bar to display the presence of risks involved in using the package. The health bar is represented with a specific color (dark red, bright red, orange, yellow, and green) to show the severity of risks. On studying the health of each package, you may decide to continue using it or use a different package for your application code. Following are the different parameters displayed for each package:

  • Quality: represents the level of quality of the package and shows how well the provider maintained the package
  • Supply Chain: represents how well the supply chain best practices are followed in the package
  • License: represents the credibility of the license type used for the package. On checking the health of the license for the package, you may decide to continue using it or use another license type.


If there is no information available in the packages to perform checks for the Quality, Supply Chain, and License parameters, the health bar is represented with the grey color.


Current Limitation: Full details and analysis is shown only for the packages from the npm provider; only basic information (package name, version, license type, and the number of repositories) is shown for the packages from the other providers. Full details for the packages from the other providers will be shown in future.


Other controls

The following controls appear at the right middle of the page:

  • Search: any package by its name
  • Sort: the packages by one of the following:
    • Usage: sorts the packages by the number of code repositories in which a package is used in the descending order
    • Name: shows the list of all the packages by their names in the alphanumeric order
    • Provider: sorts the packages by the provider such as npm, python, and GO
  • Filter: the packages by the usage of code repositories. You can filter the packages used in more than 10, 50, 100, 200, and 500 code repositories.
  • Export: to export the list of packages with all details in a csv file


Dependency detailed view

In the Dependencies list view, if you click on any package, its detailed view is displayed. This page shows the following information:

  • All the package details explained in the Dependencies list view above. In addition, the published user's email is shown.
  • At the top right side of the page, you can see the version dropdown menu. From this menu, you can select a specific package version to see the respective package details.
  • Issues tab: Shows the list of all the security issues detected in the current package as failed checks. Each security issue has its description, severity, and the type (Quality, Supply Chain, or License) as explained in the Security issues in the packages section above.



  • Repositories tab: Shows the list of all the code repositories in which the current package is used in building the application code. On clicking any code repository, you will be navigated to the code repository scan detailed view. On clicking the repository link, you will be navigated to the code repository in the source code management tool such as GitHub. You can also search any code repository by its name or sort the code repositories by the source code management tool.