Dependency Analyzers

The Dependency Scanner extracts the software's dependencies by analyzing the project descriptors that reference direct dependencies and getting their dependencies transitively.

The result is the full dependencies graph, which may contain components in different ecosystems, where each component is resolved in terms of name, group/owner/scope and version, along with metadata (license, provenance, tags and more) that could be useful for assessment of the security risk.

Each major ecosystem is handled by a specific analyzer. The following sections describe each analyzer, how it works, and which are the inputs analyzed.

Maven Analyzer

This analyzer fetches the dependencies for maven projects. The analyzer executes mvn dependency:tree and processes the result.

The analyzer checks if pom.xml files exist in the source code. In this case, the analyzer executes the command:

mvn dependency:tree

You have more information here.

If you have not the mvn command installed, this analyzer will be disabled, and the dependencies from the pom.xml files will not be resolved.

How to specify a different location of settings.xml ?

Xygeni allows to customize mvn command to suite your specific needs.

One of these usual needs is to specify an alternate location of settings.xml file (remember that by default mvn will search for it at $HOME/.m2 ).

If you need mvn to use a settings.xml located at a different location, you can define a env var named MVN_OPSand assign additional parameters (in this case --settings).

As an example, if you run the scanner as shown below, the dependency scanner will use the settings.xml specified by the env var.

export MVN_OPS="--settings /foo/bar/settings.xml"
xygeni scan [rest of flags]

Similarly , you can specify whatever other maven additional parameters you may need.

Gradle Analyzer

This analyzer fetches the dependencies for gradle projects. The analyzer executes gradlew -q dependencies or gradle -q dependencies if the gradlew does not exist and processes the result.

The analyzer checks if build.gradle or build.gradle.kts files exist in the source code. In this case, the analyzer executes the command:

gradle -q dependencies

If the project has no the gradlew file and you have not the gradle command installed, this analyzer will be disabled, and the dependencies from the build.gradle or build.gradle.kts files will not be resolved.

Npm Analyzer

This analyzer fetches the dependencies for Node projects using npm or yarn package managers. The analyzer uses yarn.lock, npm-shrinkwrap.json, package-lock.json or package.json ("lock" and "manifest") files.

These files are processed in the following order: yarn.lock > npm-shrinkwrap.json > package-lock.json > package.json. Package lock files are recommended for repeatable builds, as they have all packages and versions resolved in the dependency tree.

When no lock file is found, package.json is processed and the analyzer generates a yarn.lock file in a temporary directory by executing the command

yarn install --ignore-scripts --modules-folder ${TEMPDIR}/node_modules

If yarn command is not installed, the analyzer will try to install it in a temporary directory.

If no lock file is found and npm is not installed, then the analyzer will not be able to extract the dependencies. And node_modules directories are ignored by the analyzer.

With npm, it is important to have the lockfile in sync with the manifest. If not, an npm install from a user or the package may resolve a dependency to an unintended version. The npm clean-install (or npm ci for short) makes a clean install that also checks for consistency between the lockfile and the manifest.

Bower Analyzer

This analyzer fetches the dependencies for projects using bower package manager and bower.json manifests. The analyzer runs the command

bower list -j

You have more information about this here.

If you have not installed bower, this analyzer will be disabled and the dependencies of the bower.json files will not be resolved.

All bower_components directories in the analyzed will be ignored.

Dotnet Analyzer

This analyzer fetches the dependencies for dotnet projects. To obtain this information, the analyzer uses project.assets.json manifests.

To generate these manifests, you should execute dotnet restore command. You can execute

dotnet restore -h|--help

to get help. You have more information about the dotnet restore command here.

The analyzed project will not have associated frameworks, but the rest of dependencies will have the associated framework. If a dependency is on two frameworks, it appears twice, once per framework. For example:

.NETFramework 4.6:Microsoft.Build.Tasks.Git:1.0.0
.NETStandard 2.0:Microsoft.Build.Tasks.Git:1.0.0

The Dependency Scanner does not execute dotnet restore command automatically.

Go Analyzer

Extract dependencies for Go modules, from go.mod files. The analyzer runs thego mod graph command.

For further information about dependency management in the Go ecosystem, see managing dependencies in Go.

If the go toolchain is not installed, the analyzer will be disabled and Go modules will not be analyzed.

Pip Analyzer

This analyzer fetches the dependencies for python projects. The analyzer uses the setup.py files to get information for the currently analyzed projects and its dependencies.

The analyzer executes thepipgrip library to get the dependencies tree, if the environment has not installed this library the analyzer tries to install pipgrip in a temporary directory to execute the command and after the directory will be deleted. The commands executed is:

pipgrip --tree --json

As a prerequisite, the packages must be installed. And in the case that pipgrip and pip are not installed, then this analyzer will be disabled.

Composer Analyzer

This analyzer fetches the dependencies for PHP projects. The analyzer uses the composer.json files to get information for the currently analyzed project and his dependencies.

The analyzer executes the commands:

# To get all dependencies with resolved version
composer show -f json

# To get the dependency tree
composer show -t -f json

The analyzer needs that the composer command is installed and the components analyzed have been installed to resolve the dependencies correctly.

Gem Analyzer

This analyzer fetches the dependencies for Ruby gem projects. The analyzer uses Gemfile.lock file to get information about the dependencies.

The ruby gem name for the current project is the directory name that contains the Gemfile.lock file.

PreviousDependency scanner configurationNextSuspect Dependencies Scanner

Last updated