# Dep Graph API {% hint style="info" %} **Feature availability**\ The Snyk API is available only with Enterprise plans. For more information, see [plans and pricing](https://snyk.io/plans/). {% endhint %} The Dep Graph API requires additional permissions. [Contact Snyk Support](https://support.snyk.io) to request access. To test and monitor dependencies managed by [Bazel](https://docs.snyk.io/scan-with-snyk/snyk-open-source/snyk-for-bazel), it is recommended that you use the Snyk Dep Graph API endpoints [Test Dep Graph](https://docs.snyk.io/snyk-api/reference/test-v1#test-dep-graph) and [Monitor Dep Graph](https://docs.snyk.io/snyk-api/reference/monitor-v1). The monitor capability allows customers to submit a tree for Snyk to monitor for vulnerabilities. While you can use Bazel for many languages including C++, the Dep Graph endpoints do not support C++. Follow these basic steps: 1. For each type of dependency, for example, Maven, Cocoapods, create a [Dep Graph JSON object](https://github.com/snyk/dep-graph) listing all the dependency packages and versions. See [Example of Snyk for Bazel](https://docs.snyk.io/scan-with-snyk/snyk-open-source/snyk-for-bazel/example-of-snyk-for-bazel). 2. As part of a Bazel test rule, send the Dep Graph JSON object as a POST request to the endpoint [Test Dep Graph](https://docs.snyk.io/snyk-api/reference/test-v1#test-dep-graph), along with your [auth token](https://docs.snyk.io/snyk-api/authentication-for-api). An example curl request follows: ``` curl -X POST 'https://api.snyk.io/v1/test/dep-graph' \ -H 'Authorization: token {{your token}}' \ -H 'Content-Type: application/json; charset=utf-8' \ -d @dep-graph.json ``` 3. Check the API response for pass/fail status and any resulting vulnerabilities. ## How the Test Dep Graph API works The Test Dep Graph API takes a generic dependency graph and returns a report containing any relevant vulnerabilities for those dependencies. The supported package managers and repository ecosystems are listed in the [Test Dep Graph](https://docs.snyk.io/snyk-api/reference/test-v1#test-dep-graph) and [Monitor Dep Graph](https://docs.snyk.io/snyk-api/reference/monitor-v1) documentation. Any of your Bazel dependencies that are available in the supported ecosystems can be tested using the Snyk API. ## Snyk Dep Graph JSON syntax The Test Dep Graph API takes a [Snyk Dep Graph](https://github.com/snyk/dep-graph) JSON object describing the root application and the graph of direct and transitive dependencies. The [schema](https://github.com/snyk/dep-graph#depgraphdata) for this format is as follows: {% code overflow="wrap" fullWidth="false" %} ```java export interface DepGraphData { schemaVersion: string; pkgManager: { name: string; version?: string; repositories?: Array<{ alias: string; }>; }; pkgs: Array<{ id: string; info: { name: string; version?: string; }; }>; graph: { rootNodeId: string; nodes: Array<{ nodeId: string; pkgId: string; info?: { versionProvenance?: { type: string; location: string; property?: { name: string; }; }, labels?: { [key: string]: string | undefined; }; }; deps: Array<{ nodeId: string; }>; }>; }; } ``` {% endcode %} Further notes on specific components in the Dep Graph object follow: * `schemaVersion` - the version of the Dep Graph schema. Set this to `1.2.0`. * `pkgManager.name` - can be one of `deb`, `gomodules`, `gradle`, `maven`, `npm`, `nuget`, `paket`, `pip`, `rpm`, `rubygems`, or `cocoapods`. * `pkgs` - an array of objects containing `id`, `name`and`version` of all packages in the Dep Graph. Note that the `id` must be in the form `name@version`. List each of your dependencies in this array, including an item representing the Project itself. * `graph.nodes` - an array of objects describing the relationships between entries in `pkgs`. This is typically the Project node with all other packages defined as a flat array of direct dependencies in `deps.` * `graph.rootNodeId` - specifies the `id` of the entry in `graph.nodes` to use as the root node of the graph. Set this to the `nodeId` of the Project node. ## Snyk Dep Graph Test API response The Test Dep Graph API returns a JSON object describing any issues (vulnerabilities and licenses) found in the Dep Graph dependencies. An example response with a single vulnerability follows: {% code overflow="wrap" %} ```java { "ok": false, "packageManager": "maven", "issuesData": { "SNYK-JAVA-CHQOSLOGBACK-30208": { "CVSSv3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "alternativeIds": [], "creationTime": "2017-03-19T14:58:38Z", "credit": [ "Unknown" ], "cvssScore": 9.8, "description": "## Overview\n[ch.qos.logback:logback-core](https://mvnrepository.com/artifact/ch.qos.logback/logback-core) is a logback-core module.\n\nAffected versions of this package are vulnerable to Arbitrary Code Execution. A configuration can be ...", "disclosureTime": "2017-03-13T06:59:00Z", "exploit": "Not Defined", "fixedIn": [ "1.1.11" ], "functions": [], "id": "SNYK-JAVA-CHQOSLOGBACK-30208", "identifiers": { "CVE": [ "CVE-2017-5929" ], "CWE": [ "CWE-502" ] }, "language": "java", "mavenModuleName": { "artifactId": "logback-core", "groupId": "ch.qos.logback" }, "modificationTime": "2020-06-12T14:36:56.271247Z", "moduleName": "ch.qos.logback:logback-core", "packageManager": "maven", "packageName": "ch.qos.logback:logback-core", "patches": [], "proprietary": false, "publicationTime": "2017-03-21T15:30:44Z", "references": [ { "title": "GitHub Commit #1", "url": "https://github.com/qos-ch/logback/commit/f46044b805bca91efe5fd6afe52257cd02f775f8" }, { "title": "GitHub Commit #2", "url": "https://github.com/qos-ch/logback/commit/979b042cb1f0b4c1e5869ccc8912e68c39f769f9" }, { "title": "Logback News", "url": "https://logback.qos.ch/news.html" }, { "title": "NVD", "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5929" }, { "title": "NVD", "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5929/" } ], "semver": { "vulnerable": [ "[, 1.1.11)" ] }, "severity": "high", "title": "Arbitrary Code Execution" } }, "issues": [ { "pkgName": "ch.qos.logback:logback-core", "pkgVersion": "1.0.13", "issueId": "SNYK-JAVA-CHQOSLOGBACK-30208", "fixInfo": {} } ], "org": { "id": "3e5fe3fe-9181-4f0f-a231-39764485e73f", "name": "stephen.elson-xnf" } } ``` {% endcode %} Further notes on specific components in the response object follow: * `ok` - Boolean value summarizing whether Snyk found any vulnerabilities in the supplied dependencies. You can use this for a quick pass or fail test. * `issuesData` - a hash of each unique vulnerability found. Each vulnerability contains many useful properties, such as `title`, `description`, `identifiers`, `publicationTime`, `severity`, and so on. * `issues` - a simple array of mappings from vulnerabilities in `issuesData` to package. As a vulnerability may be relevant to multiple packages, this mapping is used to keep the response length as short as possible. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.snyk.io/scan-with-snyk/snyk-open-source/snyk-for-bazel/dep-graph-api.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.