Skip to main content

View dependency trees

When an open-source library is added to an application, all of the library's dependencies are also inherited. Some of these transitive dependencies may introduce vulnerable code into your applications. The Contrast CLI identifies all library dependencies and sends the data to Contrast where you can visualize these libraries as a hierarchical dependency tree.

To display library hierarchy for your application, Contrast must have access to your application code at pre-compile time⁠—a different stage of the software development lifecycle (SDLC) than the Contrast agents collect. To do this, you must have installed and run the Contrast CLI for your applications.

To view an application's library dependency tree:

  1. Select Applications in the navigation bar.

  2. Select an application.

  3. From the application's Overview page, select the Libraries tab.

  4. Select the dependency tree  icon library dependency tree icon in the upper right to view the analysis of your application.

In this view, Contrast displays the dependency tree for your application's libraries based on the data collected by the Contrast CLI.

  • Use the quick view menu to view only the vulnerabilities. By default, all libraries are displayed. You can use the right arrows to expand individual sections for more information or you can select the Expand All option to view all the information at once.

  • Libraries with known vulnerabilities are also identified with a vulnerabilities warning icon icon-vulnerability.svg. View vulnerability details by clicking the icon.

  • Click the search icon MagnifiyingGlassIcon.png to search for a specific library.

  • You can also view a dependency tree's history by choosing a custom date.

  • Click the filter icon icon-filter.svgto view the dependencies based on developer and/or production libraries. By default, the production option is selected.

  • The Application dropdown appears for merged applications so you can see how vulnerable libraries were introduced for the merged application. You can view the dependency tree by parent and child applications.