Software Composition Analysis (SCA)
How Trace finds vulnerable dependencies — and tells you which ones are actually reachable from your code.
Modern applications run on third-party code. Most of the security risk you carry is in dependencies you didn't write — and most of that risk is in dependencies you don't even know you have.
Trace's SCA engine maps your dependency tree, identifies known vulnerabilities, and then does the part that nobody else does: it tells you which of those vulnerabilities are actually reachable from your application code.
How it works
The SCA engine runs in two stages:
- Dependency discovery. Indexes every manifest and lockfile in your repository to build a complete picture of your direct and transitive dependencies. Cross-references each package version against the public CVE and advisory ecosystem to pull in known vulnerabilities.
- Reachability verification. For each candidate vulnerability, Trace reads your code to determine whether the vulnerable function is actually imported and called from your application. Findings that can't be reached get downgraded or filtered out.
Dependency discovery is fast and deterministic — same lockfile, same output, every time. Reachability verification is where the noise reduction happens: a lodash prototype-pollution CVE in a package you use only for _.cloneDeep is not the same as the same CVE in a package where you use the affected function on user input.
Supported ecosystems
Trace's dependency indexer supports the package ecosystems your engineers actually use:
| Ecosystem | Manifests |
|---|---|
| npm | package.json, package-lock.json, yarn.lock, pnpm-lock.yaml, bun.lockb |
| PyPI | requirements.txt, pyproject.toml, poetry.lock, Pipfile, Pipfile.lock |
| Cargo (Rust) | Cargo.toml, Cargo.lock |
| Maven (Java) | pom.xml, build.gradle, gradle.lockfile |
| Go modules | go.mod, go.sum |
| RubyGems | Gemfile, Gemfile.lock |
| NuGet (.NET) | *.csproj, packages.lock.json |
| Composer (PHP) | composer.json, composer.lock |
Manifests are discovered recursively, so monorepos with services in multiple languages all get covered in a single scan.
What "reachable" means
Reachability is the difference between theoretically vulnerable and actually exploitable. A CVE in a dependency you've installed doesn't matter if your code never calls the vulnerable function.
For every CVE found, Trace's verifier:
- Identifies the specific function, method, or module within the package that the CVE applies to.
- Searches your code for imports and references to that package.
- Traces whether the vulnerable entry point is actually called — directly or transitively.
- Classifies the finding's confidence based on how clearly the vulnerable path is exercised.
Findings where reachability is unambiguous land in your dashboard with full severity. Findings where the vulnerable code path can't be reached are filtered out. Findings where reachability is uncertain are downgraded and surfaced with the rationale, so you can decide.
This is also dev-dependency-aware. A vulnerability in a build-only or test-only dependency is reported at lower severity by default, because the blast radius is smaller and the path to production exploitation is harder.
What you get for each finding
Every SCA vulnerability captures:
- Package, version, ecosystem — what dependency, at what version, in what package manager.
- CVE / advisory ID — links to the upstream advisory.
- Affected versions and fixed versions — so you know what to upgrade to.
- Reachability context — whether and how the vulnerable code is exercised from your application.
- Dependency provenance — the transitive chain that brought the vulnerable package into your project.
- Severity and CVSS score — calibrated based on both the upstream severity and the reachability context.
- Remediation guidance — the specific upgrade or workaround that closes the issue.
How findings stay accurate
The advisory ecosystem is updated continuously. A package that was clean yesterday can have a new CVE disclosed today. Trace's scheduled scans re-evaluate your dependency tree daily — so a CVE published this morning that applies to a package you shipped last month appears in your dashboard automatically, with reachability already assessed.
When you upgrade a vulnerable dependency, the next scan marks the vulnerability as FIXED and records the resolving scan. If the regression happens — somebody downgrades, or a transitive change pulls the bad version back in — the vulnerability reopens.
What it doesn't do
Trace's SCA does not currently scan container images or operating system packages directly. It scans the application-level dependencies declared in your repository's manifests. If you need container image scanning, plug it into your CI alongside Trace — and let the Trace team know, it's on our radar.