Search for Components#

Discover which repositories contain specific components and analyze their impact across your organization.

Prerequisites#

Before you begin, ensure you have:

• Access to a DevGuard organization
• At least one repository with completed dependency scans
• Component information indexed (automatic after scans)

Find Components Across Organization#

Search for a component across all your repositories:

1. Navigate to Organization → Search
2. Enter component details in search box
3. View results showing all repositories using this component

Search by:

• Component name (e.g., "react", "log4j")
• Component version (e.g., "18.2.0")
• Package ecosystem (e.g., "npm", "pip", "maven")
• PURL format (e.g., "pkg:npm/react@18.2.0")

View Component Details#

Click on a component in search results to see:

• Component name and version
• Repository using it - Which repositories have this component
• Direct vs. transitive - Is it directly required or a dependency of a dependency?
• Artifacts - Which build outputs contain it
• License - Declared license or "unknown"
• Security status - Known vulnerabilities affecting this version
• Supply chain info - Open-source project details if available

Filter by Component Ecosystem#

Narrow search results by package ecosystem:

Identify Component Vulnerabilities#

When searching for a component, also see:

• Vulnerabilities affecting any version - Known CVEs
• Fixed in version - Minimum version that patches issues
• Severity distribution - Count of critical, high, medium, low issues
• Exploits available - Public exploits if any exist

Risk assessment:

If searching for "react" and version 18.2.0 has CVE-2024-1234:
1. See which repositories use 18.2.0
2. Check if any versions are patched
3. Identify repositories needing updates

Track Component Usage Across Repositories#

Understand component distribution:

1. Search for a component
2. View all repositories using it
3. See version breakdown:
   • How many repos use v1.0.0?
   • How many use v2.0.0?
   • How many use vulnerable versions?

This helps identify standardization opportunities or risks.

Find Transitive Dependencies#

Components are not just direct dependencies:

1. Search for a component
2. See Direct dependencies (explicitly required)
3. See Transitive dependencies (dependencies of dependencies)
4. Identify if component appears as transitive in many repos

Analyze Component with Known Vulnerabilities#

When searching for components with CVEs:

1. Enter the component name
2. View All versions and their CVE status
3. Identify affected versions across your repos
4. Plan remediation:
   • Which repos need updates?
   • Which versions are safe?
   • What's the upgrade path?

Example: Log4j2 vulnerability

Search: "log4j"
Results show:
- v2.17.0 and earlier: Vulnerable to CVE-2021-44228 (Critical)
- v2.17.1+: Patched
- Your repos status:
  - Production app: v2.16.0 (vulnerable!)
  - Tools repo: v2.17.2 (safe)
  - Legacy service: v2.14.0 (vulnerable!)

View Component Project Information#

For open-source components, see:

• Project homepage - Link to official repository
• License - Declared license
• Open-source status - Link to OpenSSF Project if available
• Download statistics - Popularity in the ecosystem
• Last release date - Activity level
• Maintainer info - Who maintains it

Create Incidents from Component Search#

If you find a high-risk component:

1. Search for it
2. Click Create Incident or Create Issue
3. DevGuard creates a tracking item for all affected repositories
4. Team can collaborate on remediation plan
5. Progress is tracked across organization

Export Component Report#

Generate reports on component usage:

1. Perform component search
2. Click Export Results
3. Download data including:
   • All repositories using component
   • Versions in each repository
   • Vulnerability status
   • License information
4. Share with security team or stakeholders

Monitor Component Lifecycle#

Track when components change:

• New occurrences - Component added to new repository
• Version updates - Repository upgraded component version
• Removal - Repository no longer uses component
• Vulnerability discovery - New CVE published for version

Set up alerts to track important components.

Component Search Examples#

Finding and replacing outdated dependencies#

Search: "lodash@4.17.0"
Result: 12 repos using this version
Action: Creates upgrade plan to latest safe version

Identifying supply chain risk#

Search: "tiny-cookie@0.1.0"
Result: Unknown project, no maintainer activity for 3 years
Decision: Consider replacing with maintained alternative

Tracking vulnerable components#

Search: "react@16.x"
Result: 5 repos still using vulnerable React 16
Action: Plan upgrades to React 18+ LTS

License compliance across org#

Search: "gcc" (ecosystem: Go)
Result: Found in 8 repos, all GPL-licensed
Decision: Evaluate implications or replace

Best Practices#

1. Search regularly - Monitor critical components monthly
2. Keep updated - Upgrade to latest safe versions quickly
3. Standardize versions - Use same versions across similar projects when possible
4. Review transitive deps - Check indirect dependencies for risks
5. Document decisions - Record why you chose specific versions
6. Automate where possible - Use Dependabot or similar for updates

Troubleshooting#

Component not found in search#

• Verify the exact name and spelling
• Try PURL format: pkg:ecosystem/name@version
• Check if repository has been scanned recently
• Ensure you have access to repositories

Too many search results#

• Be more specific with version or ecosystem
• Filter by repository if searching organization-wide
• Use PURL format for precise matching

Version information seems outdated#

• Trigger a new scan: Go to repository → Rescan Now
• Check when this repository was last scanned
• Results update after new scan completes

Next Steps#

• Find Vulnerable Dependencies - Security-focused component analysis
• View Dependency Tree - See how components relate
• License Compliance - Review component licenses