Supported ecosystems and analysis methods¶
Manifests¶
To find dependencies, CodeScoring primarily relies on parsing package manager manifest files. The platform supports parsing the following technologies:
| Ecosystem | Package manager or build tool | File format |
|---|---|---|
| Java and Kotlin | Gradle | *.gradle*.gradle.ktsgradle-dependency-tree.txtgradle.lockfile |
| Maven | pom.xmlmaven-dependency-tree.txt |
|
| Apache Ivy | ivy.xml |
|
| JavaScript and TypeScript | npm | package.jsonpackage-lock.jsonnpm-shrinkwrap.json |
| yarn | yarn.lockpackage.jsonpackage-lock.json |
|
| pnpm | pnpm-lock.yaml |
|
| Python | pip | requirements.txtrequirements.piprequires.txt |
| Poetry | pyproject.tomlpoetry.lock |
|
| Pipenv | PipfilePipfile.lock |
|
| Conda | environment.ymlmeta.ymlconda-lock.yml |
|
| C and C++ | Conan | conanfile.txtconan.lockconanfile.py |
| Go | Go Modules | go.modgo.sum |
| PHP | Composer | composer.jsoncomposer.lock |
| Ruby | RubyGems | GemfileGemfile.lock*.gemspecgems.locked |
| .NET | Nuget | *.nuspecpackages.lock.jsonProject.jsonProject.lock.jsonpackages.config*.csprojproject.assets.jsondependencyReport.json |
| Paket | paket.dependenciespaket.lock |
|
| Objective-C | CocoaPods | PodfilePodfile.lock*.podspec |
| Swift | Swift Package Manager | Package.swiftPackage.resolved |
| Rust | Cargo | Cargo.tomlCargo.lock |
| Scala | sbt | scala-dependency-tree.txtsbt-dependency-tree.txt |
The best result will be achieved by combining the main manifest file and the corresponding lock file, if provided by the package manager mechanism.
System packages¶
As part of the OSA module, the platform supports analysing system packages of the following formats:
Resolution mechanism in the absence of a lock file¶
If there is no lock file the system will try to resolve transitive OSS dependencies itself:
- Maven
- for pom.xml and build.gradle format generation of
maven-dependency-treevia the corresponding maven plugin - Maven version 3.8.8 and OpenJDK version 11 are used
- PyPi
- generation of
poetry.lockusing the Poetry package manager - Python version 3.11.7 is used
- N.P.M.
- generation of
yarn.lockusing the Yarn package manager - uses Node.js version 20.9.0
- Nuget
- for csproj format generation of
project.assets.jsonusing built-in nuget tools - uses .NET SDK version 8.0.404 -Packagist
- generation of
composer.lockusing the Composer package manager - PHP version 8.2.26 is used -Rubygems
- generation of
Gemfile.lockusing the Bundler package manager - uses Ruby version 3.1.2p20
Generation of lock files by the system does not produce the best results in every case, since it often depends on the environment.
Resolving dependencies in the build environment¶
Some package managers do not include transitive dependencies in their manifests by default. For high-quality compositional analysis when working with them, it is recommended to use a dependency resolution mechanism in the build environment.
When resolving dependencies in the environment, the agent checks for the absence of a lock file, independently launches the package manager or build tool, and generates a complete list of components taking into account the correct version of the build. The functionality is currently available for the following ecosystems:
- .NET
- Go
- Gradle
- Maven
- npm
- Poetry
- sbt
- yarn
- Conda
Mechanism for searching dependencies using hashes¶
The second dependency search mechanism implemented in CodeScoring is a hash search – a search for direct inclusion of libraries in project code. As part of this mechanism, all project files are hashed and these signatures are compared with known open source libraries.
Currently, hash searches occur for the following package manager indexes and the following file types:
- Maven
.jar.war.ear-npm.min.js- PyPI
.whl.egg- Nuget
.nupkg
Hashes of files whose size does not exceed 512 bytes are not sent to the cloud.
Build scanning for C and C++¶
If the Conan package manager and corresponding manifests are not used to build a C/C++ project, a special mode for analyzing the build process output can be used to get a list of used libraries.
In this mode, the Johnny console agent analyzes the build process using compiler flags and identifies the libraries used. Then, using the system cache, the location of the libraries and their source are determined.