Announcing New Enhanced Dependency Capabilities!

Finite State is excited to share new capabilities that will help our users more easily digest and view their software dependencies to identify potential security risks, comply with emerging regulations, and enhance prioritization decisions.

Why Dependencies Are So Important

There are two main types of software dependencies: direct dependencies, which are explicitly referenced within the code, and transitive dependencies, which aren't directly included in your codebase but are indirectly included either through a direct dependency or another transient dependency in your software.

Identifying and managing dependencies, especially transitive dependencies, is crucial for several reasons:

• Understand Your Full Risk Potential: Gain a crystal-clear view of your software's security posture, including previously unseen vulnerabilities lurking in transitive dependencies. Identifying these hidden risks helps you proactively address potential threats before they can be exploited.
• Empower Developers: Equip developers with a clear understanding of dependencies, fostering better code management and decision-making. By providing visibility into both direct and transitive dependencies, developers can make informed choices that enhance the security, reliability, and resiliency of their code.
• Stay Ahead of Regulations: Simplify compliance with SBOM regulations by having all necessary dependency information readily available. This ensures you meet regulatory requirements and can demonstrate a thorough understanding of your software's composition. For example, the NTIA (National Telecommunications and Information Administration) and the EU CRA (EU Cyber Resilience Act) both require dependency information to be included within SBOMs.

By leveraging transitive dependencies, you not only enhance your software's security but also streamline regulatory compliance and empower your development team to create more secure and robust applications. 

Finite State & Dependencies

While Finite State already provided direct dependency information, this new functionality adds transitive dependency details, and makes it easier to find, as well as map, relationships between impacted artifacts. 

What’s new in the tool:

• Dependency Mapping: Dependency Graph automatically detects both direct and transitive dependencies within your software. This means you see not only the components your code directly uses but also those used by your dependencies (often exposing hidden layers of potential risk).
• Dependency & Vulnerability Enrichment: We leverage external data sources to enrich components in your SBOM with additional layers of dependencies and known vulnerability information. This helps you look higher up the software supply chain, prioritize threats, and allocate resources effectively.
• Seamless SBOM Integration: Dependency information is directly embedded into your SBOM (Software Bill of Materials), providing a holistic view of your software's composition.

With this wealth of new data, particularly transitive dependency details, we wanted to make navigating this information a breeze. To provide a clearer picture of your component relationships, we’ve embedded this information throughout the tool in several key areas, which we explore below. 

Dependency View in Bill of Materials Table

The main Bill of Materials table has a Dependency View that allows you to expand and collapse details about dependencies. 

Dependencies & Relationships in Component Drawer

The component details drawer has a section near the bottom called Dependencies & Relationships.

In this panel, you can view dependencies in both directions (this component’s dependencies & this component is a dependent of). You can click on any of the dependencies to show more detail about the component, such as license, dependency type (direct/transitive), and source (detected by FS Binary analysis or enriched from external data sources).

You can also click on any of these dependencies to show more detail about the component, such as license, dependency type (direct/transitive), and source (detected by Finite State Binary Analysis or enriched from external data sources).

Dependencies & Relationships Tab in Component Detail

The component Bill of Materials page has a new tab named Dependencies & Relationships. In this view, you have the option to see a table of dependencies divided into “Depends On” and “Dependency Of” to reflect the direction of the dependency relationship. This table also includes a column called ‘Dependency Type,’ which will reflect whether the relationship of that package to the selected component is direct or transitive.

Dependency Graph

The Dependency Graph is an alternative view of the dependency relationships of a given component.

You can open the Dependency Graph by Selecting the ‘Graph’ tab in the Dependencies & Relationships view. This provides a visualization showing the structure of the component’s dependencies, including both detected and enriched dependencies.

Ready to get started?

With Finite State, your development and security teams are empowered to make better-informed decisions about prioritization, risk management, compliance, and overall software security.

Contact us to check out our new enhanced dependency capabilities today!