Dependencies
The Dependencies page provides a centralized inventory of every open-source package your organization uses, across all ecosystems. It tracks vulnerabilities (CVEs), license risks, package health, and deprecation status — giving you supply chain visibility without requiring CI/CD integration.
Supported Ecosystems
| Ecosystem | Icon | Source |
|---|---|---|
| npm | NPM | Package registry scans |
| PyPI | Python | Package registry scans |
| Go | Go modules | Repository analysis |
| Rust | Cargo/crates.io | Repository analysis |
| Ruby | RubyGems | Repository analysis |
| PHP | Composer/Packagist | Repository analysis |
| Maven | Java/Kotlin | Repository analysis |
Dependencies are automatically discovered from your scanned repositories and packages — no manual import required.
Dependency Table
Each dependency shows:
| Column | Description |
|---|---|
| Package | Name with ecosystem icon |
| Version | Current version detected + version constraint (e.g., ^2.1.0) |
| Risk | Risk badge — critical CVE, high CVE, medium CVE, deprecated, or clean |
| CVEs | Number of known vulnerabilities (clickable — navigates to Vulnerabilities view filtered by package) |
| License | SPDX license identifier + license risk indicator |
| Health | Package health score (0–100) — based on maintainer count, release frequency, issue responsiveness |
| Type | Direct or transitive dependency, production or dev |
| Last Seen | When BleedWatch last detected this dependency |
Health Score
The health score evaluates the open-source project behind each dependency:
| Score Range | Color | Meaning |
|---|---|---|
| 80–100 | Green | Well-maintained, active project |
| 50–79 | Amber | Some concerns — low maintainer count or infrequent releases |
| 0–49 | Red | High risk — abandoned, single maintainer, or no recent activity |
A low health score combined with known CVEs is a strong signal to find an alternative package.
License Risk
BleedWatch classifies licenses by risk to your organization:
| Risk Level | Example Licenses | Concern |
|---|---|---|
| High | AGPL-3.0, SSPL | Copyleft — may require open-sourcing your code |
| Medium | LGPL-2.1, MPL-2.0 | Partial copyleft — restrictions on modifications |
| Low | MIT, Apache-2.0, BSD | Permissive — minimal restrictions |
| Unknown | Custom, unlicensed | No recognized license — legal review recommended |
Expanded Row Detail
Click any dependency row to expand it and see:
- Dependency path — How this package was included (direct import or pulled in transitively by another package)
- Matched CVEs — Each vulnerability with:
- CVE ID
- Severity (CVSS score)
- EPSS score (probability of exploitation in the wild)
- KEV flag (in CISA Known Exploited Vulnerabilities catalog)
- Fix version (if available)
Dependencies with high EPSS scores (>10%) and KEV flags should be patched immediately — these are actively exploited in the wild. BleedWatch highlights these combinations automatically.
Filtering
| Filter | Options |
|---|---|
| Ecosystem | npm, PyPI, Go, Rust, Ruby, PHP (multi-select) |
| Risk level | Critical CVE, High CVE, Deprecated |
| Dependency type | Direct / Transitive |
| Search | Filter by package name (real-time, 400ms debounce) |
Combine filters to focus on what matters most — for example, "direct dependencies with critical CVEs in npm" gives you the shortest path to risk reduction.
SBOM Export
Export your complete Software Bill of Materials in industry-standard formats:
| Format | Standard | Use Case |
|---|---|---|
| CycloneDX JSON | OASIS CycloneDX | NIST, EU Cyber Resilience Act, NIS2 |
| SPDX JSON | Linux Foundation SPDX | FDA, NTIA, US Executive Order 14028 |
The SBOM includes every dependency, version, license, and known vulnerability — ready for auditor or customer submission.
Click the Export SBOM button at the top of the page to download.
How Dependencies Are Discovered
BleedWatch discovers dependencies through multiple channels:
- Shield (CI/CD) — Analyzes
package.json,requirements.txt,go.mod,Cargo.toml,Gemfile,composer.jsonin scanned repositories - Sentinel — Extracts dependency manifests during continuous scans
- NPM/PyPI registry scans — Resolves the full dependency tree of your published packages
- Docker image analysis — Extracts installed packages from container layers
All dependency data is deduplicated and merged — a package appearing in multiple repositories is tracked once with all its occurrences linked.
Troubleshooting
Dependencies Not Appearing
Verify that:
- You have repositories connected via Shield or assets configured in Assets
- At least one scan has analyzed your dependency manifests
- The ecosystem filter isn't hiding results
CVE Count Shows 0 But Package Is Flagged
A package can be flagged as "deprecated" or have a low health score without any known CVEs. These are maintenance risk signals, not vulnerability alerts.
SBOM Export Is Incomplete
The SBOM includes only dependencies detected by BleedWatch. If specific packages are missing, ensure the repositories containing them are in your scan scope.
Related
- Vulnerabilities — Detailed CVE tracking with CVSS, EPSS, and patch information
- Supply Chain — Client-side supply chain monitoring for web applications
- Compliance — Map dependency vulnerabilities to compliance frameworks
- Reports — Include dependency data in compliance evidence packs