Search Your Dependencies
Our SBOM analysis feature works by analyzing the code of a user's project and identifying all of the software components that are used, as well as any dependencies between them. This information is then organized into an SBOM format and saved to a Neo4j database for easy access and querying.
Using Neo4j's powerful graph database technology, users can interact with the SBOM data in a variety of ways. The graph interface allows users to input graph queries and see the results as nodes in a graph, making it easy to visualize the software components and dependencies in their project.
Using the graph interface
To use the Neo4j graph interface, users simply need to input a graph query using the Cypher query language. For example, a user might input a query to find all of the software components in their project that have a particular license. The query might look something like this:
MATCH (n: Package) RETURN n LIMIT 25
The results of the query would be displayed as nodes in a graph, with each node representing a software package that matches the query. Users can then explore the graph further, clicking on nodes to see more information about each component and its dependencies, Also you can click the "From Image" link to go to the source resource(Docker image or GitHub Repository or File).
You can learn more cypher query docs in their official website.
Sample query
Query packages that have relationship with specific package
MATCH (n)-[]-(x) WHERE n.name = "Alpine Linux v3.11" RETURN n, x LIMIT 25
Query packages affected by specific CVE
MATCH (n)-[]-(x: Vulnerability) WHERE n.name = "vim" RETURN n, x LIMIT 25
You can find more at our "Useful cypher queries" docs.
Search templates
$DBQ_topCVEs
This query can show the top 5 CVEs that effect most of your package. By using this template your can find our which CVE you should care about most.
$DBQ_topVulnerablePackage
This query can show the package has most CVEs. You should consider upgrade or remove those package seriously.
Neo4j Nodes and Relations
Nodes
Package: Could be a software package or a docker base image like Ubuntu.
{
"id": "",
"name": "the package name like curl",
"userId": "the deepbits user id",
"resourceId": "the scan result that cause this node to generate",
"projectAssetId": "the assets that this scan for, it could be a github commit or docker hub image",
"streamId": "the sbom stream for this scan result, could be a github branch or docker hub tag",
"projectId": "the deepbits project id, can include many assets",
"resourceType": "image, ecrImage, file, dockerHub, githubCommit, memoryDump, stream",
"purl": "something like: purl: pkg:g++/4:11.2.0-1ubuntu1",
"version": "the package version, sample: version: 4:11.2.0-1ubuntu1"
}
Vulnerability: Usually it's a CVE
Property
{
"name": "Alpine Linux v3.11",
"purl": "os:Alpine Linux v3.11/1.1.24-r2",
"version": "1.1.24-r2",
"userId": "your user id",
"userId": "the deepbits user id",
"resourceId": "the scan result that cause this node to generate",
"projectAssetId": "the assets that this scan for, it could be a github commit or docker hub image",
"streamId": "the sbom stream for this scan result, could be a github branch or docker hub tag",
"projectId": "the deepbits project id, can include many assets",
"resourceType": "image, ecrImage, file, dockerHub, githubCommit, memoryDump, stream",
}
Relations
DependsOn: Packages can depends on each other. i.e.: alpine linux v3.11 dependsOn busybox
Vulnerable: Package busybox vulnerable by CVE-2021-42384
You can use those node and reference in cypher query to show the result you want.
Property
{
"imageId": "63219ca45e269d1d6e27952f",
"id": "CVE-2020-28928",
"userId": "your user id"
}
Updated 3 months ago