Skip to content

Supply chain call tracing

Full workflow

Complete guide (limitations, CI, published lens): supply-chain-call-tracing

Why use CCE

Dependency manifests (SBOM) list packages; they do not show which third-party methods execute in application paths. Security and architecture reviews need method-level evidence.

CCE extracts fully qualified method calls with call-site context — an f-SBOM input richer than package presence alone.

Example command

cce -folder . -language AUTO -mapper-file https://releases.stackgen.com/cce/lenses/supply-chain-call-tracing/latest/supply-chain-call-tracing_lenses.yaml -filter all -format json -output supply-chain-call-tracing.json

Published lens

https://releases.stackgen.com/cce/lenses/supply-chain-call-tracing/latest/supply-chain-call-tracing_lenses.yaml