Software Composition Analysis
VEXLIT scans your dependency files to find packages with known vulnerabilities, analyzes transitive dependencies, and detects license compliance issues across 12 package ecosystems.
12
Package Ecosystems
3
Vulnerability Databases
9
Transitive Analysis
Supported Ecosystems
VEXLIT parses lockfiles and manifests from all major package managers.
Node.js
npm (package-lock.json), yarn (yarn.lock), pnpm (pnpm-lock.yaml)
Python
pip (requirements.txt), Pipfile (Pipfile.lock)
Go
go.mod, go.sum
Rust
Cargo.toml, Cargo.lock
Java
Maven (pom.xml), Gradle (build.gradle)
.NET
NuGet (packages.config, .csproj)
Ruby
Bundler (Gemfile, Gemfile.lock)
PHP
Composer (composer.json, composer.lock)
Swift
SwiftPM (Package.resolved)
Dart
pub (pubspec.yaml, pubspec.lock)
Multi-Database Vulnerability Lookup
VEXLIT queries three vulnerability databases in parallel for maximum coverage and deduplicates results by advisory ID.
OSV (Open Source Vulnerabilities)
Primary database. Open, community-maintained vulnerability data for all ecosystems.
GitHub Advisory Database (GHSA)
GitHub's curated security advisories. Cross-references with CVE and ecosystem-specific IDs.
NVD (National Vulnerability Database)
NIST's comprehensive CVE database with CVSS scoring and detailed analysis.
If any database is temporarily unavailable, VEXLIT returns results from the remaining databases instead of failing.
Transitive Dependency Analysis
Direct dependencies aren't the only risk. VEXLIT traces vulnerability through the entire dependency tree.
Cross-references your manifest (package.json) with your lockfile (package-lock.json) to identify which direct dependency pulled in a vulnerable transitive package. Supports 9 ecosystem combinations.
your-app
-> [email protected]
-> [email protected] (CVE-2022-24999)
-> [email protected]
-> [email protected] (no known CVEs)License Compliance Detection
Every dependency is checked against SPDX license categories.
GPL, AGPL, SSPL, EUPL - Requires releasing your source code under the same license.
LGPL, MPL, EPL, Artistic, CC-BY-SA - Copyleft applies to modifications of the library only.
MIT, Apache 2.0, BSD, ISC, Zlib, 0BSD, Unlicense - Minimal restrictions on use.
Dependency Graph
For npm projects, VEXLIT parses lockfile v1/v2/v3 formats to extract the complete dependency graph, showing exactly how each vulnerable package is connected to your direct dependencies.
Auto-Fix for Dependencies
Run 'vexlit fix --sca' to automatically upgrade vulnerable packages to their nearest safe version using npm audit fix.
$ vexlit fix --scaRun 'vexlit fix --sca' to automatically upgrade vulnerable packages to their nearest safe version using npm audit fix.