Dependency Scanner
Table of Contents
Purpose
The Dependency Scanner (DS) is a useful tool to collect and analyze the dependencies of a software project. Aimed at identifying issues related to software supply-chain security. Dependencies are components or packages used in software that will be analyzed for known vulnerabilities or evidence of malware.
Quick Start
Use the following command to generate a list of both direct and indirect dependencies used within your project and identify potentially risky dependencies. Then upload them to the Xygeni Platform for review.
xygeni deps -n MyProject --format=text --uploadRunning xygeni...
2022-11-15 11:11:25.914 [main] INFO com.depsdoctor.cli.commands.ScanDepsCommand - Scan statistics:
{"elapsedTime":"00:00:39.632","files":150,"filesByKind":{"Jar Analyzer":150},
"dependencies":122,"depsByEcosystem":{"jar":121,"unknown":1}}
Dependencies found: 122
┌───┬──────────────────────────────────────────────────┬─────────┬────────┬────────────┬─────┐
│Id │Group:Name:Version │Ecosystem│Language│ License │Flags│
├───┼──────────────────────────────────────────────────┼─────────┼────────┼────────────┼─────┤
│1 │org.apache.logging.log4j:log4j-slf4j-impl:2.19.0 │ jar │ java │ Apache-2.0 │ │
├───┼──────────────────────────────────────────────────┼─────────┼────────┼────────────┼─────┤
│2 │com.vdurmont:semver4j:3.1.0 │ jar │ java │ MIT │ │
├───┼──────────────────────────────────────────────────┼─────────┼────────┼────────────┼─────┤
│3 │org.slf4j:slf4j-api:1.7.36 │ jar │ java │ │ │
├───┼──────────────────────────────────────────────────┼─────────┼────────┼────────────┼─────┤
│4 │org.apache.logging.log4j:log4j-core:2.19.0 │ jar │ java │ Apache-2.0 │ │
├───┼──────────────────────────────────────────────────┼─────────┼────────┼────────────┼─────┤
│5 │org.zeroturnaround:zt-exec:1.12 │ jar │ java │ Apache-2.0 │ │
├───┼──────────────────────────────────────────────────┼─────────┼────────┼────────────┼─────┤
...
├───┼──────────────────────────────────────────────────┼─────────┼────────┼────────────┼─────┤
│140│com.fasterxml.jackson.datatype:jackson-datatype-js│ jar │ java │ Apache-2.0 │ │
│ │r310:2.13.3 │ │ │ │ │
├───┼──────────────────────────────────────────────────┼─────────┼────────┼────────────┼─────┤
│150│com.squareup.okhttp3:okhttp:4.10.0 │ jar │ java │ Apache-2.0 │ │
├───┼──────────────────────────────────────────────────┼─────────┼────────┼────────────┼─────┤
│157│com.diogonunes:JColor:5.2.0 │ jar │ java │ MIT │ │
├───┼──────────────────────────────────────────────────┼─────────┼────────┼────────────┼─────┤
│0 │:test: │ unknown │ │ │ RV │
└───┴──────────────────────────────────────────────────┴─────────┴────────┴────────────┴─────┘
Flags: R=top-level P=project V=virtual D=direct dependencyUsage
The Open Source Dependencies Scanner is launched using the xygeni deps [options] command.
To view all available options, use the --help flag:
xygeni deps --helpThe most important properties are:
Name of the Xygeni Project
-nor--name.Input source to analyze. Either specify a directory with:
-dor--diror specify a repository using:--repo. The scan will analyze the current working directory when no target is specified.Upload results to the service
--upload. By default, results are not uploaded.Output file (
-oor--output) and format (-for--format). If no output file is specified (or stdout / - are used), the standard output is used. Use--format=nonefor no output.SBOM properties: output file
--sbomand format--sbom-format. See Generate SBOM for a software project for an example.Specify what detectors to run with the
--detectors/--skip-detectorsoptions. A common use-case is to consider only issues with high or critical severity with--detectors=high.
How to generate SBOM for a software project
A Software Bill Of Materials (SBOM) is an inventory that details the components, including direct and indirect dependencies, along with their relationships and relevant metadata.
The xygeni deps can be used to generate the SBOM, in the following formats:
Last updated