# Dependency Analyzers

The [Dependency Scanner](https://docs.xygeni.io/xygeni-products/open-source-security-oss/dependency-scanner) extracts the *software's dependencies* by analyzing the project descriptors that reference direct dependencies and getting their dependencies transitively.

The result is the full dependencies graph, which may contain components in different ecosystems, where each component is resolved in terms of name, group/owner/scope and version, along with metadata (license, provenance, tags and more) that could be useful for assessment of the security risk.

Each major ecosystem is handled by a specific analyzer. The following sections describe each analyzer, how it works, and which are the inputs analyzed.

### Maven Analyzer <a href="#maven_analyzer" id="maven_analyzer"></a>

This analyzer fetches the dependencies for maven projects. The analyzer executes `mvn dependency:tree` and processes the result.

The analyzer checks if **pom.xml** files exist in the source code. In this case, the analyzer executes the command:

```asciidoc
mvn dependency:tree
```

You have more information [here](https://maven.apache.org/plugins/maven-dependency-plugin/tree-mojo.html).

{% hint style="info" %}
If you have not the mvn command installed, this analyzer will be disabled, and the dependencies from the pom.xml files will not be resolved.
{% endhint %}

#### How to specify a different location of settings.xml ?

Xygeni allows to **customize `mvn` command** to suite your specific needs.&#x20;

One of these usual needs is to specify an *alternate location of `settings.xml` file* (remember that by default `mvn` will search for it at `$HOME/.m2` ).&#x20;

If you need `mvn` to use a `settings.xml` located at a different location, you can define a env var named `MVN_OPS`and assign additional parameters (in this case `--settings`).

As an example, if you run the scanner as shown below, the dependency scanner will use the settings.xml specified by the env var.

```
export MVN_OPS="--settings /foo/bar/settings.xml"
xygeni scan [rest of flags]
```

Similarly ,  you can specify whatever other maven additional parameters you may need.

### Gradle Analyzer <a href="#gradle_analyzer" id="gradle_analyzer"></a>

This analyzer fetches the dependencies for gradle projects. The analyzer executes `gradlew -q dependencies` or `gradle -q dependencies` if the `gradlew` does not exist and processes the result.

The analyzer checks if **build.gradle** or **build.gradle.kts** files exist in the source code. In this case, the analyzer executes the command:

```asciidoc
gradle -q dependencies
```

{% hint style="info" %}
If the project has no the `gradlew` file and you have not the `gradle` command installed, this analyzer will be disabled, and the dependencies from the **build.gradle** or **build.gradle.kts** files will not be resolved.
{% endhint %}

### Npm Analyzer <a href="#npm_analyzer" id="npm_analyzer"></a>

This analyzer fetches the dependencies for Node projects using **npm** or **yarn** package managers. The analyzer uses **yarn.lock**, **npm-shrinkwrap.json**, **package-lock.json** or **package.json** ("lock" and "manifest") files.

These files are processed in the following order: `yarn.lock` > `npm-shrinkwrap.json` > `package-lock.json` > `package.json`. Package lock files are recommended for *repeatable builds*, as they have all packages and versions resolved in the dependency tree.

When no lock file is found, `package.json` is processed and the analyzer generates a `yarn.lock` file in a temporary directory by executing the command

```asciidoc
yarn install --ignore-scripts --modules-folder ${TEMPDIR}/node_modules
```

If `yarn` command is not installed, the analyzer will try to install it in a temporary directory.

{% hint style="info" %}
If no lock file is found and npm is not installed, then the analyzer will not be able to extract the dependencies. And node\_modules directories are ignored by the analyzer.
{% endhint %}

{% hint style="info" %}
With npm, it is important to have the lockfile in sync with the manifest. If not, an `npm install` from a user or the package may resolve a dependency to an unintended version. The `npm clean-install` (or `npm ci` for short) makes a clean install that also checks for consistency between the lockfile and the manifest.
{% endhint %}

### Bower Analyzer <a href="#bower_analyzer" id="bower_analyzer"></a>

This analyzer fetches the dependencies for projects using **bower** package manager and **bower.json** manifests. The analyzer runs the command

```asciidoc
bower list -j
```

You have more information about this [here](https://bower.io/docs/api/#list).

{% hint style="info" %}
If you have not installed bower, this analyzer will be disabled and the dependencies of the `bower.json` files will not be resolved.
{% endhint %}

{% hint style="info" %}
All `bower_components` directories in the analyzed will be ignored.
{% endhint %}

### Dotnet Analyzer <a href="#dotnet_analyzer" id="dotnet_analyzer"></a>

This analyzer fetches the dependencies for dotnet projects. To obtain this information, the analyzer uses **project.assets.json** manifests.

To generate these manifests, you should execute `dotnet restore` command. You can execute

```asciidoc
dotnet restore -h|--help
```

to get help. You have more information about the `dotnet restore` command [here](https://docs.microsoft.com/en-us/dotnet/core/tools/dotnet-restore).

The analyzed project will not have associated frameworks, but the rest of dependencies will have the associated framework. If a dependency is on two frameworks, it appears twice, once per framework. For example:

```asciidoc
.NETFramework 4.6:Microsoft.Build.Tasks.Git:1.0.0
.NETStandard 2.0:Microsoft.Build.Tasks.Git:1.0.0
```

{% hint style="info" %}
The Dependency Scanner does not execute `dotnet restore` command automatically.
{% endhint %}

### Go Analyzer <a href="#go_analyzer" id="go_analyzer"></a>

Extract dependencies for Go modules, from `go.mod` files. The analyzer runs the`go mod graph` command.

For further information about dependency management in the Go ecosystem, see [managing dependencies in Go](https://go.dev/doc/modules/managing-dependencies).

{% hint style="info" %}
If the `go` toolchain is not installed, the analyzer will be disabled and Go modules will not be analyzed.
{% endhint %}

### Pip Analyzer <a href="#pip_analyzer" id="pip_analyzer"></a>

This analyzer fetches the dependencies for python projects. The analyzer uses the `setup.py` files to get information for the currently analyzed projects and its dependencies.

The analyzer executes the`pipgrip` library to get the dependencies tree, if the environment has not installed this library the analyzer tries to install `pipgrip` in a temporary directory to execute the command and after the directory will be deleted. The commands executed is:

```asciidoc
pipgrip --tree --json
```

{% hint style="info" %}
As a prerequisite, the packages must be installed. And in the case that `pipgrip` and `pip` are not installed, then this analyzer will be disabled.
{% endhint %}

### Composer Analyzer <a href="#composer_analyzer" id="composer_analyzer"></a>

This analyzer fetches the dependencies for PHP projects. The analyzer uses the `composer.json` files to get information for the currently analyzed project and his dependencies.

The analyzer executes the commands:

```asciidoc
# To get all dependencies with resolved version
composer show -f json

# To get the dependency tree
composer show -t -f json
```

{% hint style="info" %}
The analyzer needs that the `composer` command is installed and the components analyzed have been installed to resolve the dependencies correctly.
{% endhint %}

### Gem Analyzer <a href="#gem_analyzer" id="gem_analyzer"></a>

This analyzer fetches the dependencies for Ruby gem projects. The analyzer uses `Gemfile.lock` file to get information about the dependencies.

The ruby gem name for the current project is the directory name that contains the `Gemfile.lock` file.