Русский

Working with dependencies¶

Creating lock and dep-tree files¶

Java¶

When working with Java, you can create additional artifacts containing the full dependency structure of the project.

Apache Maven:¶

`maven-dependency-tree.txt`¶

mvn dependency:tree -DoutputFile=maven-dependency-tree.txt

Gradle:¶

`gradle-dependency-tree.txt`¶

./gradlew dependencies > gradle-dependency-tree.txt

After creating the artifacts, you need to use the scan file command on the resulting artifact, for example:

./johnny \
scan file ./maven-dependency-tree.txt \
--api_token <api_token> \
--api_url <api_url>

Scala¶

sbt¶

`scala-dependency-tree.txt` or `sbt-dependency-tree.txt`¶

To correctly perform compositional analysis in Scala projects using sbt, follow these steps:

Setting the Dependency Graph Width

To generate a full dependency graph, add the following line to the build.sbt file:

ThisBuild / asciiGraphWidth := 999999999

Alternatively, you can set the asciiGraphWidth value globally.

Generating the dependency tree

Run the following command to generate the dependency tree:

sbt clean compile "dependencyTree::toFile target/tree.txt"

Make sure to save the file with the name scala-dependency-tree.txt or sbt-dependency-tree.txt, as these are the only names supported for correct parsing.

Scanning the generated file

The --sbt-resolve flag in the scan command is not needed in this case, as it scans the already generated tree with the full dependency structure.

Golang (Go Modules)¶

go¶

`go.sum`¶

Initialize the module (if not already done):
```
go mod init <module_name>
```
Install dependencies:
```
go get <package>
```
After installing dependencies, go.mod and go.sum files are automatically created and updated.
Lock dependencies:
```
go mod tidy
```

Node.js (npm and yarn)¶

npm¶

`package-lock.json`¶

Initialize the project (if not already done):
```
npm init -y
```
Install dependencies:
```
npm install
```

yarn¶

`yarn.lock`¶

Initialize the project:
```
yarn init -y
```
Install dependencies:
```
yarn install
```

C# / .NET¶

NuGet¶

`packages.lock.json`¶

Enable lock file support (for .NET 5 and above):
```
dotnet nuget locals all --clear
```
Install dependencies:
```
dotnet restore --use-lock-file
```

paket¶

`paket.lock`¶

Create a lock-file:
```
paket install
```

PHP¶

Composer¶

`composer.lock`¶

Initialize the project (if not already done):
```
composer init
```
Install dependencies:
```
composer install
```

or

Create a lock-file directly:

composer update

Python¶

pip¶

`requirements.txt`¶

Install dependencies and save them to a lock-file:
```
pip freeze > requirements.txt
```

pipenv¶

`Pipfile.lock`¶

Install pipenv (if not already installed):
```
pip install pipenv
```
Create Pipfile.lock:
```
pipenv install
```

poetry¶

`poetry.lock`¶

If the poetry.lock file does not already exist, Poetry will create it automatically when installing dependencies. If the file already exists, it will be updated. To do this, run the command:

poetry lock

This command will update the dependencies specified in pyproject.toml and create or update the poetry.lock file.

Ruby¶

Bundler¶

`Gemfile.lock`¶

Initialize the project (if not already done):
```
bundle init
```
Install dependencies:
```
bundle install
```

or