Chapter 11. Dependency Knowledge Graphs

What do the following three scenarios have in common?

• You are trying to come up with the best plan for your project, and you need to understand the dependencies between the different tasks involved. “Task B cannot start before A is completed” means B depends on A. “Task B and task C are both carried out by team member X” means that B and C both depend on X.

• A vulnerability has been reported on a popular software library. To determine whether your projects are directly affected by the vulnerability, you will have to verify that your code doesn’t directly use that vulnerable library. You also have to check that your chosen libraries don’t use the compromised library themselves.

• A company owns 25% of the shares in another company, which itself owns part of another and so on. Finding the ultimate beneficial owner (UBO) of a transaction carried out by an institution requires you to traverse the ownership chain. Financial institutions and regulators have to do this when implementing anti-money-laundering or antiterrorism checks or when they try to assess risk in general.

The common theme for each of these, and many more, is dependency modeling. The idea is quite intuitive: each individual direct dependency is modeled as a relationship between nodes that build out into networks of transitive dependencies. These dependency networks form a graph, and many dependency problems can be resolved with graph pattern matching and graph algorithms, ...