Dependency Analyzers
The Dependency Scanner extracts the software's dependencies by analyzing the project descriptors that reference direct dependencies and getting their dependencies transitively.
The result is the full dependencies graph, which may contain components in different ecosystems, where each component is resolved in terms of name, group/owner/scope and version, along with metadata (license, provenance, tags and more) that could be useful for assessment of the security risk.
Each major ecosystem is handled by a specific analyzer. The following sections describe each analyzer, how it works, and which are the inputs analyzed.
Maven Analyzer
This analyzer fetches the dependencies for maven projects. The analyzer executes mvn dependency:tree
and processes the result.
The analyzer checks if pom.xml files exist in the source code. In this case, the analyzer executes the command:
mvn dependency:tree
You have more information here.
How to specify a different location of settings.xml ?
Xygeni allows to customize mvn
command to suite your specific needs.
One of these usual needs is to specify an alternate location of settings.xml
file (remember that by default mvn
will search for it at $HOME/.m2
).
If you need mvn
to use a settings.xml
located at a different location, you can define a env var named MVN_OPS
and assign additional parameters (in this case --settings
).
As an example, if you run the scanner as shown below, the dependency scanner will use the settings.xml specified by the env var.
export MVN_OPS="--settings /foo/bar/settings.xml"
xygeni scan [rest of flags]
Similarly , you can specify whatever other maven additional parameters you may need.
Gradle Analyzer
This analyzer fetches the dependencies for gradle projects. The analyzer executes gradlew -q dependencies
or gradle -q dependencies
if the gradlew
does not exist and processes the result.
The analyzer checks if build.gradle or build.gradle.kts files exist in the source code. In this case, the analyzer executes the command:
gradle -q dependencies
Npm Analyzer
This analyzer fetches the dependencies for Node projects using npm or yarn package managers. The analyzer uses yarn.lock, npm-shrinkwrap.json, package-lock.json or package.json ("lock" and "manifest") files.
These files are processed in the following order: yarn.lock
> npm-shrinkwrap.json
> package-lock.json
> package.json
. Package lock files are recommended for repeatable builds, as they have all packages and versions resolved in the dependency tree.
When no lock file is found, package.json
is processed and the analyzer generates a yarn.lock
file in a temporary directory by executing the command
yarn install --ignore-scripts --modules-folder ${TEMPDIR}/node_modules
If yarn
command is not installed, the analyzer will try to install it in a temporary directory.
Bower Analyzer
This analyzer fetches the dependencies for projects using bower package manager and bower.json manifests. The analyzer runs the command
bower list -j
You have more information about this here.
Dotnet Analyzer
This analyzer fetches the dependencies for dotnet projects. To obtain this information, the analyzer uses project.assets.json manifests.
To generate these manifests, you should execute dotnet restore
command. You can execute
dotnet restore -h|--help
to get help. You have more information about the dotnet restore
command here.
The analyzed project will not have associated frameworks, but the rest of dependencies will have the associated framework. If a dependency is on two frameworks, it appears twice, once per framework. For example:
.NETFramework 4.6:Microsoft.Build.Tasks.Git:1.0.0
.NETStandard 2.0:Microsoft.Build.Tasks.Git:1.0.0
Go Analyzer
Extract dependencies for Go modules, from go.mod
files. The analyzer runs thego mod graph
command.
For further information about dependency management in the Go ecosystem, see managing dependencies in Go.
Pip Analyzer
This analyzer fetches the dependencies for python projects. The analyzer uses the setup.py
files to get information for the currently analyzed projects and its dependencies.
The analyzer executes thepipgrip
library to get the dependencies tree, if the environment has not installed this library the analyzer tries to install pipgrip
in a temporary directory to execute the command and after the directory will be deleted. The commands executed is:
pipgrip --tree --json
Composer Analyzer
This analyzer fetches the dependencies for PHP projects. The analyzer uses the composer.json
files to get information for the currently analyzed project and his dependencies.
The analyzer executes the commands:
# To get all dependencies with resolved version
composer show -f json
# To get the dependency tree
composer show -t -f json
Gem Analyzer
This analyzer fetches the dependencies for Ruby gem projects. The analyzer uses Gemfile.lock
file to get information about the dependencies.
The ruby gem name for the current project is the directory name that contains the Gemfile.lock
file.
Last updated