CAST HIGHLIGHT - SCA - How to get the details of the transitive dependencies in your code? – CAST

List of transitive dependencies can be obtained in Highlight using any of the following options.

Details

Transitive dependencies are available from the Software Composition dashboard by clicking on the magnifying glass of third-party components found in your application. On click, a modal opens and lists the component dependencies with their type (test, runtime, compile, etc.) and indicates:
the possible security vulnerabilities (a.k.a. CVEs) they may have and whether they are critical, high, medium or low from a severity standpoint, their license type and if these comply with your license compliance policy. Please refer Transitive Dependencies: How much can you trust friends of your friends?

Use the Dependency Explorer for investigation of Transitive dependencies. Please refer Explore your OSS dependencies. Visually!

In case you want a thorough list of all identified transitive dependencies in your software, you can simply export the BOM (Bill of Material) after switching on the inclusion of transitive dependencies in the Excel report. They will be listed in a dedicated ‘Dependencies’ sheet along with CVE and license occurrences.

For generating the BOM with transitive dependencies

Go to Dashboards > Application Results > Application > Software Composition.
Click on Download BOM
Switch the slider to ON to generate the list of transitive dependencies.

Use the following API calls

To get the dependencies of the application.

resources/application/[appid]/dependencies

To get the dependencies of the dependencies listed in the first call (the transitive dependencies).
resources/thirdparty/[id]/dependencies

NB: Transitive dependencies are dependencies that are indirectly required through other dependencies. Eg: Suppose package X depends on package Y, and package Y depends on package Z, then package Z is a transitive dependency of package X.

CAST HIGHLIGHT - SCA - How to list the development dependencies in the code?