Dependencies
dependencies
Dependency rules — vulnerability scanning and hygiene checks.
DependencyAuditRule
dataclass
Bases: ProjectRule
Scan dependencies for known vulnerabilities via pip-audit.
Scoring: 100 - (vuln_count * 15), min 0.
Vulnerabilities reported against environment tools (pip, setuptools,
wheel, uv, pip-audit) are excluded from the count. These tools
are injected into the audit venv by uv run --with rather than declared
as project dependencies, so their CVEs are not actionable from the project
being audited. Matching is case-insensitive.
Source code in packages/axm-audit/src/axm_audit/core/rules/dependencies.py
| Python | |
|---|---|
170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 | |
rule_id
property
Unique identifier for this rule.
check(project_path)
Check dependencies for known CVEs.
Source code in packages/axm-audit/src/axm_audit/core/rules/dependencies.py
DependencyHygieneRule
dataclass
Bases: ProjectRule
Check for unused/missing/transitive dependencies via deptry.
Scoring: 100 - (issue_count * 10), min 0.
Source code in packages/axm-audit/src/axm_audit/core/rules/dependencies.py
| Python | |
|---|---|
480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 594 595 596 597 598 599 600 601 602 603 604 605 606 607 608 609 610 611 612 613 614 615 616 617 618 619 620 621 622 623 624 625 626 627 628 629 630 631 632 633 634 635 636 637 638 | |
rule_id
property
Unique identifier for this rule.
check(project_path)
Check dependency hygiene with deptry.
Source code in packages/axm-audit/src/axm_audit/core/rules/dependencies.py
PipAuditUnavailableError
Bases: RuntimeError
Raised when pip-audit could not reach pypi (transient/network failure).
Distinguished from a generic :class:RuntimeError so that
:meth:DependencyAuditRule.check can map it to a non-penalizing SKIP
instead of a hard ERROR fail.
Source code in packages/axm-audit/src/axm_audit/core/rules/dependencies.py
| Python | |
|---|---|
detect_first_party_packages(project_path)
Auto-detect first-party package names from project layout.
Scans src/ for top-level package directories (including namespace
packages). Falls back to scanning the project root when no src/
directory exists.
Returns an empty list if [tool.deptry] known_first_party is already
configured in pyproject.toml — deptry's own config takes precedence.
Source code in packages/axm-audit/src/axm_audit/core/rules/dependencies.py
has_deptry_config(project_path)
Check if [tool.deptry] known_first_party is configured.
Source code in packages/axm-audit/src/axm_audit/core/rules/dependencies.py
resolve_workspace_members(project_path)
Resolve workspace member paths from [tool.uv.workspace].
Thin projection over :func:axm_ingot.resolve_workspace: returns the
member directory paths, or None when project_path is not a uv
workspace. exclude globs are honoured by ingot.
Source code in packages/axm-audit/src/axm_audit/core/rules/dependencies.py
run_deptry(project_path)
Run deptry and return parsed JSON issues.
Raises:
| Type | Description |
|---|---|
RuntimeError
|
If deptry exits with a non-zero return code and produces no JSON output file. |