[gaspar]

Interesting. So if I understood correctly, you dynamically analyze the build process (and that's why you use that term) instead of just parsing the build file, because you don't know exactly how the dependencies are going to be resolved from the package manager during the build process. How do you verify that a specific version of a library is used during the build and not some other version (you just do a hash lookup or have a way to generate signatures with small false positives) ? Also, what happens if the package manager is compromised (for example it informs you that she used version 2.0 but instead she used a vulnerable version) ? For the call graphs, do you find the relationships between each procedure for the whole project and if so, isn't that literally static analysis ? Sorry if my questions don't make sense or are trivial, I am just looking it from a research perspective, because I am working on somehow similar things.