Dependency Scanner

Purpose

The Dependency Scanner (DS) is a useful tool to collect and analyze the dependencies of a software project, aimed at identifying issues related to software supply-chain security. Dependencies are components or packages used in software that will be analyzed for known vulnerabilities or evidences of malware.

Quick Start

For getting the dependencies on third-party components (direct and indirect), and analyzing suspect/risky dependencies that should be reviewed, the command:

xygeni deps -n MyProject --format=text --upload

uploads the result to Xygeni platform and produces the following output:

Running xygeni...

2022-11-15 11:11:25.914 [main] INFO  com.depsdoctor.cli.commands.ScanDepsCommand - Scan statistics:
{"elapsedTime":"00:00:39.632","files":150,"filesByKind":{"Jar Analyzer":150},
"dependencies":122,"depsByEcosystem":{"jar":121,"unknown":1}}

Dependencies found: 122
┌───┬──────────────────────────────────────────────────┬─────────┬────────┬────────────┬─────┐
│Id │Group:Name:Version                                │Ecosystem│Language│  License   │Flags│
├───┼──────────────────────────────────────────────────┼─────────┼────────┼────────────┼─────┤
│1  │org.apache.logging.log4j:log4j-slf4j-impl:2.19.0  │   jar   │  java  │ Apache-2.0 │     │
├───┼──────────────────────────────────────────────────┼─────────┼────────┼────────────┼─────┤
│2  │com.vdurmont:semver4j:3.1.0                       │   jar   │  java  │    MIT     │     │
├───┼──────────────────────────────────────────────────┼─────────┼────────┼────────────┼─────┤
│3  │org.slf4j:slf4j-api:1.7.36                        │   jar   │  java  │            │     │
├───┼──────────────────────────────────────────────────┼─────────┼────────┼────────────┼─────┤
│4  │org.apache.logging.log4j:log4j-core:2.19.0        │   jar   │  java  │ Apache-2.0 │     │
├───┼──────────────────────────────────────────────────┼─────────┼────────┼────────────┼─────┤
│5  │org.zeroturnaround:zt-exec:1.12                   │   jar   │  java  │ Apache-2.0 │     │
├───┼──────────────────────────────────────────────────┼─────────┼────────┼────────────┼─────┤
...
├───┼──────────────────────────────────────────────────┼─────────┼────────┼────────────┼─────┤
│140│com.fasterxml.jackson.datatype:jackson-datatype-js│   jar   │  java  │ Apache-2.0 │     │
│   │r310:2.13.3                                       │         │        │            │     │
├───┼──────────────────────────────────────────────────┼─────────┼────────┼────────────┼─────┤
│150│com.squareup.okhttp3:okhttp:4.10.0                │   jar   │  java  │ Apache-2.0 │     │
├───┼──────────────────────────────────────────────────┼─────────┼────────┼────────────┼─────┤
│157│com.diogonunes:JColor:5.2.0                       │   jar   │  java  │    MIT     │     │
├───┼──────────────────────────────────────────────────┼─────────┼────────┼────────────┼─────┤
│0  │:test:                                            │ unknown │        │            │ RV  │
└───┴──────────────────────────────────────────────────┴─────────┴────────┴────────────┴─────┘
Flags: R=top-level P=project V=virtual D=direct dependency

Open Source Dependencies scanner can be launched in two different ways:

1.- By its own specific command ( xygeni deps [options] )

2.- By the general command ( xygeni scan --run="deps" [options] )

Usage

The Open Source Dependencies Scanner is launched using the xygeni deps [options] command.

For a full reference of all the available option, you can issue :

xygeni deps --help

The most important properties are:

  • Name of the project, -n or --name. It will be inferred from input when not given.

  • Input, either a directory (-d|--dir), a repository (-repo|--repository) or a container image (--image). If none given, the local current directory is assumed.

  • Output file (-o or --output) and format (-f or --format). If not output file (or stdout / - are used), the standard output is used. Use --format=none for no output.

  • SBOM properties: output file --sbom and format --sbom-format. See Generate SBOM for a software project for an example.

  • Upload results to the service, --upload. By default, results are not uploaded.

How to generate SBOM for a software project

The Software Bill Of Materials (SBOM) is an inventory of components listing the direct and indirect dependencies and their dependency relations, along with metadata.

The xygeni deps can be used to generate the SBOM, in the following formats:

  • CycloneDX, a lightweight Software Bill of Materials (SBOM) standard designed for use in application security contexts and supply chain component analysis..

  • SPDX, The Software Package Data Exchange open standard (ISO/IEC 5962:2021).

Last updated