Summary

Red Hat Dependency Analytics (RHDA) is a VS Code extension addressing software supply chain security. It provides developers with real-time awareness of vulnerabilities within their code's dependencies across numerous ecosystems, enhancing security posture during development.

How It Works

The extension analyzes project manifest files (e.g., pom.xml, package.json, go.mod, requirements.txt, Cargo.toml) against Red Hat's hosted vulnerability data sources. It operates as an online service, processing dependency information to surface security concerns, license compatibility issues, and LLM safety metrics directly within the VS Code editor.

Quick Start & Requirements

Install via the VS Code Marketplace. Requires VS Code and relevant package managers (Maven, npm, pip, Go, Cargo, Gradle) accessible via system PATH or configured extension settings. Setup is typically instantaneous upon installation and first scan.

Highlighted Details

• Comprehensive ecosystem support: Maven, NPM, PNPM, Yarn, Golang, Python, Gradle, and Rust.
• Advanced features include license compatibility checking, Docker image scanning (requires syft, skopeo), and LLM model safety analysis for Python files.
• Facilitates batch analysis for monorepos and workspaces, and integrates with CI/CD pipelines via Tekton Tasks and Jenkins Plugins.

Maintenance & Community

Maintained by Red Hat as an online service. Support and feedback are available via email (rhda-support@redhat.com) or GitHub Issues.

Licensing & Compatibility

Licensed under Apache 2.0, permitting broad commercial use and integration.

Limitations & Caveats

Relies on an external Red Hat backend service. May exhibit version analysis discrepancies for Python/Go projects by default. Vulnerability detection for Maven/Gradle provided or compileOnly scopes can be unreliable due to build-time vs. runtime version differences. Simultaneous use of Python's usePipDepTree and usePythonVirtualEnvironment is unsupported and error-prone.