Supply chain call tracing
Full workflow
Complete guide (limitations, CI, published lens): supply-chain-call-tracing
Why use CCE
Dependency manifests (SBOM) list packages; they do not show which third-party methods execute in application paths. Security and architecture reviews need method-level evidence.
CCE extracts fully qualified method calls with call-site context — an f-SBOM input richer than package presence alone.
Example command
cce -folder . -language AUTO -mapper-file https://releases.stackgen.com/cce/lenses/supply-chain-call-tracing/latest/supply-chain-call-tracing_lenses.yaml -filter all -format json -output supply-chain-call-tracing.json
Published lens
https://releases.stackgen.com/cce/lenses/supply-chain-call-tracing/latest/supply-chain-call-tracing_lenses.yaml