depsee is a local-first SBOM explorer for CycloneDX files. It reads a software bill of materials, builds a dependency graph, enriches packages with NVD CVE data, and serves a small web UI for visualizing dependency risk.
The goal is simple: make SBOMs easier to understand than a flat list of packages or CVEs.
- Parse CycloneDX JSON SBOM files
- Build a directed dependency graph from
componentsanddependencies - Serve a local web UI and
/api/graphJSON endpoint - Enrich nodes with NVD CVEs using package URL to CPE matching
- Compute blast radius, dependent count, severity, and risk score
- Keep NVD requests rate-limited, retried, and cached in memory
The web UI runs locally in your browser: dependency graph, path highlighting, and a detail panel per package.
depsee is an early-stage project. The core graph pipeline is working, and the web UI is served locally, but the project is still evolving.
- Go
1.25+
After clone, the fastest way to see the graph is to serve the UI. If you omit -file, depsee loads the sample SBOM at testdata/min-sbom.json.
git clone https://github.com/amvn-rwt/depsee.git
cd depsee
go run ./cmd/depsee -serveOpen the URL printed in the terminal (default listen address is :8080, shown as http://127.0.0.1:8080/). The UI and GET /api/graph use that same origin. To open your default browser automatically, add -open:
go run ./cmd/depsee -serve -openUse your own CycloneDX file:
go run ./cmd/depsee -serve -file path/to/service.sbom.jsongo build -o depsee ./cmd/depseeOn Windows:
go build -o depsee.exe ./cmd/depseego run ./cmd/depsee -serveThen open the URL from the log (or use -open). With a specific SBOM:
go run ./cmd/depsee -serve -file path/to/service.sbom.jsonUseful endpoints (same host/port as in the log):
/— graph UI/api/graph— JSON graph
Offline or no NVD calls (SBOM vulnerabilities[] still applied):
go run ./cmd/depsee -serve -skip-nvd
go run ./cmd/depsee -serve -file path/to/service.sbom.json -skip-nvdPrint a basic adjacency list (no HTTP server):
go run ./cmd/depsee -file path/to/service.sbom.jsondepsee -serve
depsee -serve -file path/to/service.sbom.json
depsee -file path/to/service.sbom.json
depsee -serve -addr :9090 -file path/to/service.sbom.json
depsee -serve -skip-nvd
depsee -serve -open-file- path to a CycloneDX JSON SBOM file (default:testdata/min-sbom.json)-serve- start the local HTTP server and web UI-addr- HTTP listen address for web mode (default::8080)-open- with-serve, open the UI in the default browser after the server starts listening-skip-nvd- disable NVD enrichment
depsee can query the NVD API without an API key, but rate limits are much lower. To improve throughput, set:
export NVD_API_KEY=your_key_hereOn PowerShell:
$env:NVD_API_KEY="your_key_here"Returns graph data for the loaded SBOM:
{
"nodes": [
{
"id": "pkg:npm/[email protected]",
"label": "[email protected]",
"type": "library",
"severity": "HIGH"
}
],
"links": [
{
"source": "pkg:npm/[email protected]",
"target": "pkg:npm/[email protected]"
}
]
}depsee/
├── cmd/depsee/ # CLI entrypoint
├── internal/app/ # core application logic
└── internal/app/web/ # embedded static UI assets
Run all tests:
go test ./...Run the web app locally:
go run ./cmd/depsee -serve -skip-nvd
go run ./cmd/depsee -serve -skip-nvd -openWith a custom SBOM:
go run ./cmd/depsee -serve -file path/to/service.sbom.json -skip-nvd- Better CycloneDX validation and empty-dependency handling
- Improved graph UI and node details
- More complete CVE enrichment and remediation guidance
- Risk ranking and "fix these first" workflow
- Additional export and integration options
Issues and pull requests are welcome. If you want to contribute, start by opening an issue or proposing an improvement.
This project is licensed under the terms of the LICENSE file in this repository.