The Dependency Scanner (DS) is a useful tool to collect and analyze the dependencies of a software project, aimed at identifying issues related to software supply-chain security. Dependencies are components or packages used in software that will be analyzed for known vulnerabilities or evidences of malware.
Quick Start
For getting the dependencies on third-party components (direct and indirect), and analyzing suspect/risky dependencies that should be reviewed, the command:
xygeni deps -n MyProject --format=text --upload
uploads the result to Xygeni platform and produces the following output:
Open Source Dependencies scanner can be launched in two different ways:
1.- By its own specific command ( xygeni deps [options] )
2.- By the general command ( xygeni scan --run="deps" [options] )
Usage
The Open Source Dependencies Scanner is launched using the xygeni deps [options] command.
For a full reference of all the available option, you can issue :
xygenideps--help
The most important properties are:
Name of the project, -n or --name. It will be inferred from input when not given.
Input, either a directory (-d|--dir), a repository (-repo|--repository) or a container image (--image). If none given, the local current directory is assumed.
Output file (-o or --output) and format (-f or --format). If not output file (or stdout / - are used), the standard output is used. Use --format=none for no output.
Upload results to the service, --upload. By default, results are not uploaded.
How to generate SBOM for a software project
The Software Bill Of Materials (SBOM) is an inventory of components listing the direct and indirect dependencies and their dependency relations, along with metadata.
The xygeni deps can be used to generate the SBOM, in the following formats:
CycloneDX, a lightweight Software Bill of Materials (SBOM) standard designed for use in application security contexts and supply chain component analysis..
SPDX, The Software Package Data Exchange open standard (ISO/IEC 5962:2021).