Findings
Find and manage priority issues
Packages are collections of generally related software functions, which are built in a repository.
A package generally may have any of the following:
This section provides a basic overview of managing projects and their packages.
Package dependencies are versions of other software packages your software relies on to deliver its functionality. Inversely, dependents are those package versions that depend on a specific package that you’ve created in one of your projects.
Endor Labs builds a bill of materials for each of your package dependencies. Package dependencies and dependents may be direct or transitive:
A dependency of a given package version has the following metadata associated with it directly in the table of dependencies:
Dependency Name and Version - The name and version of the dependencies your project or package relies on.
Type - If a dependency is directly imported as part of a package, it is of type Direct
. If a dependency is imported through the import of one or more direct dependencies, it is of type Transitive
.
Dependent Packages - In the context of a project, dependent packages are the number of packages created by the project that rely on your package.
Reachability - A dependencies reachability status may have three states:
Visibility - If a dependency is publicly available for use it is flagged as public. Otherwise, if a dependency is from a private package it is flagged as private.
Source Available - If the source code is auditable and directly linked with the metadata of a package then the source code is flagged as available. For dependencies where source code is unavailable, an Endor Labs scorecard is not generated for the dependency.
Endor Labs Dependency Scorecard - Scorecards are data sheets of facts that are used to derive Endor Labs scores. Endor Labs creates a scorecard for the security, activity, popularity and quality of a software dependency.
In addition, if you click on a given dependency a drawer with additional data points is made available to users.
A dependent of a given package version has the following metadata associated with it directly in the table of dependents.
Dependent Package Name - The name of a package that is dependent on the package you are reviewing or that is created within the context of the project you are reviewing.
Dependent Package Version - The version of a package that is dependent on the package you are reviewing or that is created within the context of the project you are reviewing.
Repository of dependent package - The location from which the package that depends on the package you are reviewing is being developed.
To view the dependencies of your package:
To view the dependents of your package:
Dependents can be used to communicate with downstream users of your package version regarding any major modifications to your package.
Scorecards are data sheets of facts that are used to derive Endor Labs scores. Scorecards are based on analysis that Endor Labs performs on open-source dependencies used in your packages.
Scorecards show the results of the analysis from which Endor Labs scores are derived. Review the scorecard to learn more about your dependency. See also Understand Endor scores.
Find and manage priority issues
Discover Endor Labs reporting and analytics dashboards.
View dependencies in your project with their details.
Understand how packages are scored in Endor Labs
Mitigate open source vulnerabilities with call graph visualizations, pinpointing and understanding the invocation of vulnerable methods for actionable developer insights.
Was this page helpful?
Thanks for the feedback. Write to us at support@endor.ai to tell us more.
Thanks for the feedback. Write to us at support@endor.ai to tell us more.