A React/TypeScript web application that analyzes software dependencies for security vulnerabilities, integrity issues, and license compliance — directly addressing OWASP A03:2025 Software Supply Chain Failures.
Powered by Google Gemini AI, the tool cross-references your project's dependencies against known CVEs, checks cryptographic hashes, visualizes transitive dependency graphs, and generates audit-ready reports.
| Feature | Description |
|---|---|
| Automated Parsing | Parses package.json (npm) and requirements.txt (Python pip) files to extract the full dependency tree |
| AI Threat Intelligence | Uses Gemini 2.5 Flash to identify CVEs, unmaintained packages (CWE-1104), and provide remediation advice |
| Hash & Signature Verification | Checks cryptographic hashes against a trusted registry to detect tampered packages |
| Dependency Graph | Visualizes direct and transitive dependency relationships to identify critical risk paths |
| Policy Enforcement | Flags violations such as critical CVEs, non-permissive licenses, or unmaintained components |
| Risk Scoring | Aggregates integrity, license, and vulnerability data into a composite risk score per package |
| Audit-Ready Reports | Exports findings as Markdown or CycloneDX-compatible SBOM JSON |
- Frontend: React 19, TypeScript
- Build Tool: Vite
- AI: Google Gemini 2.5 Flash (
@google/genai) - Styling: Tailwind CSS (via CDN)
- Node.js (v18 or later recommended)
- A Google Gemini API key
-
Clone the repository:
git clone https://github.com/preethamk976/Crypto.git cd Crypto -
Install dependencies:
npm install
-
Create a
.env.localfile in the project root and add your Gemini API key:GEMINI_API_KEY=your_api_key_here
-
Start the development server:
npm run dev
-
Open your browser at
http://localhost:5173
Note: If no API key is configured, the app falls back to built-in mock data so you can still explore the UI.
- Checker tab — Paste or upload a
package.jsonorrequirements.txtfile, then click Analyze. - Results tab — Review per-dependency risk levels, CVEs, hash/signature status, license, and transitive dependencies.
- Details tab — Learn about OWASP A03:2025 Supply Chain Failures and the prevention strategies this tool implements.
| File | Ecosystem |
|---|---|
package.json |
Node.js / npm |
requirements.txt |
Python / pip |
| Command | Description |
|---|---|
npm run dev |
Start the local development server |
npm run build |
Build the app for production |
npm run preview |
Preview the production build locally |
This tool specifically targets OWASP A03:2025 — Software Supply Chain Failures (ranked #1 in the 2025 survey). Notable real-world supply chain incidents include:
- Bybit Theft (2025): $1.5B theft via a supply chain attack in wallet software
- GlassWorm (2025): VS Code Marketplace extensions harvesting developer secrets
- SolarWinds (2019): ~18,000 organizations breached through a compromised software update
├── components/ # React UI components
│ ├── AnalysisView.tsx # Results dashboard
│ ├── DependencyGraph.tsx
│ ├── DependencyInput.tsx
│ ├── Details.tsx # OWASP education page
│ ├── Header.tsx
│ ├── PolicyCheck.tsx
│ └── RiskTrendChart.tsx
├── services/ # Business logic
│ ├── geminiService.ts # Gemini AI integration
│ ├── parserService.ts # Dependency file parsers
│ └── verificationService.ts
├── constants.ts # Sample data & mock registry
├── types.ts # TypeScript interfaces & enums
├── App.tsx # Root component & routing
└── index.tsx # Entry point
This project is private. See package.json for details.