Welcome to Cofe
Prioritize OSS vulnerabilities beyond CVSS score, using dependency graph and vulnerability exploitability
What is it?
It is Safedep/Vet on Steroids, a powerful tool designed to prioritize library and dependency upgrades in your software projects. It uses various heuristics, such as exploitability, reachability, and distinction between internal and external libraries, to make informed decisions about what to upgrade first.
A typical application has 1k+ direct and transitive dependencies. Typically, OSV scanner tools report vulnerabilities prioritized by CVSS score. Cofe assists security engineers and developers in finding the path from the application to the vulnerable location and helps in prioritization.
Original Graph |
Cofe Magic |
|
|
Quick Start
Install Cofe
To install, simply run the following command:
go install github.com/safedep/cofe@main
Currently, Cofe supports Safedep/Vet as the default dependency scanner. You need to install at least vet community edition to get the vet working.
go install github.com/safedep/vet@main
vet auth configure --community
For other installation options, please refer to Safedep/Vet
Run It
To get started with Safedep/Vet on Steroids, run:
cofe scan -D <Changeme>/<yourproject>/
Sample Output
Demo
Advanced Usage
Scan Your Internal Repository
Cofe allows you to scan your internal repositories with packages in your private artifact repositories. Here are some examples to scan a python project.
cofe scan -D <Changeme>/<yourproject>/ --read-std-conf
Visualization
cofe scan -D <Changeme>/<yourproject>/ --graphviz g.dot --read-std-conf
Open the dot file using xdot utility on ubuntu:
xdot g.dot
cofe scan -D <Changeme>/<yourproject>/ --csv g.csv --read-std-conf
The above command will generate a few sets of files
- g.csv - containing edges of the dependency graph after the graph is reduced via various techniques such as reachability analysis
- g.csv.metadata.csv - containing metadata related to nodes, such as score and color useful for visualization
- g.csv.orig.csv: Initial Graph without any optimization
- g.csv.orig.metadata.csv: related metadata of the initial graph
Use Cosmosgraph app to upload edge and metadata to visualize
Sample Graphs
How Does It Work?
Supported Ecosystems
Currently, Cofe supports the following ecosystem:
Roadmap
Future updates and expansions planned for Safedep/Vet on Steroids:
- Add support for Java.
- Integrate with Neo4j.
- Expand to support NPM packages.
- Support VEX output