Most of the Free Software and OpenSource consists of both new written source code and reused 3rd parties “binary” code. When we write a new software we usually make it depend on lots of 3rd parties libraries (such dependent libraries are also called dependencies).
In order to give an idea about how complex and deep the dependencies graph could be let’s suppose our new software has a direct dependency on the 3rd party library
rampart-core-1.3 (on the left in the figure above). Such library itself depends on other 3rd party libraries. This second level of 3rd party libraries, with respect of our new software, includes libraries called transitive dependency. Now think that our new software might have lots of direct dependencies and figure out how many 3rd part dependencies its consist of.
Thanks to some Ready To Use Java Static Code Analyzers we know how to discover some bugs in source code, but what about bugs and vulnerabilities in 3rd parties dependencies?