As you know, Bazel requires listing all project's dependencies explicitly, even transitive ones. Hence, Bazel project's Dep Graph will look like a flat list of dependencies.
To create a Dep Graph let's first list all of project's dependencies.
List can be found in 3rdparty/java_deps.bzl
. From URLs to Maven Central we can understand all of our list:
com.google.inject:[email protected]
org.sonatype.sisu.inject:[email protected]
javax.inject:javax.inject@1
aopalliance:[email protected]
org.codehaus.mojo:[email protected]
com.google.code.findbugs:[email protected]
com.google.errorprone:[email protected]
com.google.guava:[email protected]
com.google.guava:[email protected]
com.google.guava:[email protected]
org.checkerframework:[email protected]
com.google.j2objc:[email protected]
Now, create a JSON object like dep-graph.json
(https://github.com/snyk/bazel-simple-app/blob/master/dep-graph.json)
Object's schema can be found here https://github.com/snyk/dep-graph#depgraphdata
schemaVersion
use1.2.0
(internal versioning)pkgManager.name
one ofdeb, gomodules, gradle, maven, pip, rpm, rubygems, cocoapods
pkgs
- JSON array of all packages in the Dep Graph. Fill it with data from the list above including ROOT NODE (name of your project).graph
- should contain relationships between graph nodes. In Bazel case there is 1 relationship - root node to all of it dependencies. Fill up deps accordingly to example.
Explore this blog post on how to use the dep graph you've just build with Snyk API in order for your projects to get tested for vulnerabilities and be secured
https://support.snyk.io/hc/en-us/articles/360011549737