dpndncY
Software Composition Analysis
Know every dependency
and which vulns can actually reach you.

Direct and transitive dependency resolution across 30+ ecosystems, correlated against OSV, NVD and GHSA, then ranked by real exploitability — not raw CVE count.

Pillar · Scan

What it does

30+ ecosystem resolution

Direct + transitive resolution across npm, PyPI, Maven, NuGet, Cargo, Go, RubyGems, Composer, Pub, CRAN, Conda, CPAN, OPAM, CocoaPods, SwiftPM, PEAR and Bazel — from lockfiles and registry metadata.

Lockfile parsingTransitive graph30+ ecosystems

Vulnerability fusion

OSV + NVD + GHSA correlation with both CVE and GHSA identifiers on every finding, enriched with CVSS, EPSS and CISA KEV.

OSV · NVD · GHSACVE + GHSA IDs

Exploitability-based ranking

CISA KEV, EPSS, ExploitDB and an exploit-window forecast fused with reachability so the top of the list is what can actually be exploited — not the highest CVSS.

KEV · EPSS · ExploitDBExploit-window forecast

Proprietary advisory layer

dpndncY Security Advisories (DSA) supplement the public feeds — matched into every scan on your own infrastructure, catching issues not yet published to public OSV.

DSA feedSupplements OSV

License compliance

SPDX detection and copyleft classification (permissive / weak / strong) with obligation surfacing — attribution, source disclosure, NOTICE files, patent grant.

SPDXCopyleft scope

Reachability + attack path

For JS/TS, AST call-graph reachability maps each vulnerability from dependency to import to sink to HTTP entry point.

JS/TS call-graphAttack path
30+
ecosystems
3
public feeds fused
4
exploit signals

One platform. On your infrastructure.
Every decision signed and verifiable.