Most of the Free Software and OpenSource consists of both new written source
code and reused 3rd parties “binary” code.
When we write a new software we usually make it depend on lots of 3rd parties
libraries (such dependent libraries are also called dependencies).
In order to give an idea about how complex and deep the dependencies graph
could be let’s suppose our new software has a direct dependency on the 3rd
rampart-core-1.3 (on the left in the figure above). Such
library itself depends on other 3rd party libraries. This second level of 3rd
party libraries, with respect of our new software, includes libraries called
transitive dependency. Now think that our new software might have lots of
direct dependencies and figure out how many 3rd part dependencies its
Thanks to some
Ready To Use Java Static Code Analyzers
we know how to discover some bugs in source code, but what about bugs and
vulnerabilities in 3rd parties dependencies?