Xygeni User Guides
  • Welcome to Xygeni
  • Getting Started
    • Create a Free Trial Account
    • Quick start with your code repository
    • Quick start with Xygeni CLI
    • Quick start with a preloaded project
    • Log in to Xygeni
    • Subscribe to Xygeni
  • Introduction to Xygeni
    • Key Concepts
      • Projects in Xygeni
      • Project Baseline
      • Detected Issues
      • Remediation Actions
      • Policies
      • Risk Level
      • SDLC Inventory
      • Standards Compliance
      • GuardRails
    • Xygeni Products
    • How Xygeni works
    • Xygeni Web UI Overview
      • Projects Screen
        • Risk Level
    • Integrating Xygeni into your Workflow
    • Prioritization Funnels
      • Custom Funnels
      • Prioritization Criteria (Stages)
        • Reachability
        • Exploitability
        • Fixable
    • Guardrails
    • Generate a SBOM
    • Reports
      • Trends
      • Scan History
    • Supported Integrations
    • Customizations
  • Xygeni Products
    • Application Security Posture Management (ASPM)
      • ASPM User Interface Guide
      • All Risks
        • Statistics
        • Issues Evolution
        • Issue Comparison Between Different Scans
      • Governance
      • Inventory
        • All Assets
        • Repositories
        • Components
        • CI/CD Assets
        • Delivery Assets
        • Systems & Tools
        • Collaborators
      • Health Check
      • Inventory Scanner
        • Inventory Scanner Configuration
        • Inventory Collaborators Scan
      • Importing reports from 3rd party tools
        • External Scanners Supported
          • Report upload for Kiuwan
            • ExportRule (.java)
    • Code Security (SAST)
      • Code Security (SAST) User Interface Guide
        • Risks (SAST)
        • Malicious Code
      • Malware Scanner
        • Malware Scanner Configuration
        • Malware Detectors
      • SAST Scanner
        • SAST Scanner Configuration
    • Open Source (SCA)
      • Open Source (SCA) User Interface Guide
      • Open Source Components
      • Supported Package Managers for dependency resolution
      • Risks (SCA)
      • OSS Prioritization Funnels
      • OSS Auto-Remediation
      • Malware Early Warning (MEW)
        • How Malware Early Warning works
        • Common types of Malware found in open source packages
      • Dependency Scanner
        • Dependency scanner configuration
        • Dependency Analyzers
      • Suspect Dependencies Scanner
        • Suspect Deps Scanner Configuration
        • Suspect Deps Detectors
    • CI/CD Security
      • CI/CD Security User Interface Guide
      • CI/CD Details
      • Build Attestations
      • CI/CD Scanner
        • CI/CD Misconfigurations Scanner Configuration
      • Compliance Scanner
        • Supported compliance standards
    • Secrets Security
      • Secrets User Interface Guide
      • Secrets Scanner
        • Secrets scanner configuration
      • Secret Leaks Handling
        • Secret Leaks Handling
        • How to Prevent Hard-Coded Secrets
        • Secret Leaks Handling CheatSheet
      • Secrets Auto-Remediation
    • IaC Security
      • IaC User Interface Guide
      • IaC Scanner
        • IaC Scanner Configuration
    • Malware
    • Build Security
      • Build Security Concepts
      • Build Attestations
      • Attestation format
      • How SALT works
      • Installing Salt CLI
      • Salt Command-Line Reference
      • SALT Architecture
      • SALT How To…​
    • Anomalous Activity Detection
      • Anomalous Activity Detection User Interface Guide
      • Xygeni Sensors
        • Xygeni Sensor for Azure
        • Xygeni Sensor for BitBucket
        • Xygeni Sensor for GitHub
          • GitHub Audit Log Processing
        • Xygeni Sensor for GitLab
        • Xygeni Sensor for Jenkins
        • Anomaly Detection's Detectors
      • Code Tampering Scanner
        • Code Tampering Scanner Configuration
    • Compliance & Malware Insights
      • SSCS Compliance
      • Malicious Packages DB
  • Scan Management
    • Manage Scans
    • Scan History
  • Xygeni Scanner CLI
    • Xygeni Scanners
    • Xygeni CLI Overview
      • Xygeni CLI Prerequisites
      • Xygeni CLI Installation
      • Xygeni CLI Docker Image
      • Xygeni CLI Authentication
        • CLI Authentication with Xygeni
      • SCM, CI/ CD and Container Registry tokens
      • Xygeni CLI Operation Modes
        • Single scan
          • Scanning a docker image
        • Multi Scan
        • Organization scan
      • Xygeni CLI Configuration options
      • Xygeni CLI Output Formats
      • Exporting Xygeni results to 3rd party tools
      • Automatic Remediation
      • Generate SBOM with the Xygeni CLI
      • CLI utils
        • Credentials Encryption
        • Central Configuration
      • Xygeni Guardrails
        • CI/CD Audit Analysis
      • Xygeni CLI Error Codes
      • Xygeni Scanner Reference
  • Xygeni Administration
    • Platform Administration
      • Profile
      • Subscription
      • Users Management
      • Projects Management
      • Groups Management
      • Policies
      • Integrations
        • Xygeni Single Sign-On (SSO) Authentication
          • SSO - OKTA
          • SSO - Microsoft Entra ID
        • Integrate Scanner CLI into CI/CD Systems
          • Azure Pipelines Integration
          • BitBucket Integration
          • CircleCI Integration
          • GitHub Actions Integration
          • GitLab Runner Integration
          • Jenkins Integration
          • Travis CI Integration
        • Git Hooks with Xygeni
        • Collaboration & communication Tools
        • Ticketing Systems
        • Remediation systems
      • Notifications
    • Rest API
  • Support
  • Changelog
    • Version 5.11 - April 11, 2025
    • Version 5.9 – March 26, 2025
Powered by GitBook
On this page
  • Maven Analyzer
  • Gradle Analyzer
  • Npm Analyzer
  • Bower Analyzer
  • Dotnet Analyzer
  • Go Analyzer
  • Pip Analyzer
  • Composer Analyzer
  • Gem Analyzer
Export as PDF
  1. Xygeni Products
  2. Open Source (SCA)
  3. Dependency Scanner

Dependency Analyzers

PreviousDependency scanner configurationNextSuspect Dependencies Scanner

Last updated 13 days ago

The extracts the software's dependencies by analyzing the project descriptors that reference direct dependencies and getting their dependencies transitively.

The result is the full dependencies graph, which may contain components in different ecosystems, where each component is resolved in terms of name, group/owner/scope and version, along with metadata (license, provenance, tags and more) that could be useful for assessment of the security risk.

Each major ecosystem is handled by a specific analyzer. The following sections describe each analyzer, how it works, and which are the inputs analyzed.

Maven Analyzer

This analyzer fetches the dependencies for maven projects. The analyzer executes mvn dependency:tree and processes the result.

The analyzer checks if pom.xml files exist in the source code. In this case, the analyzer executes the command:

mvn dependency:tree

You have more information .

If you have not the mvn command installed, this analyzer will be disabled, and the dependencies from the pom.xml files will not be resolved.

How to specify a different location of settings.xml ?

Xygeni allows to customize mvn command to suite your specific needs.

One of these usual needs is to specify an alternate location of settings.xml file (remember that by default mvn will search for it at $HOME/.m2 ).

If you need mvn to use a settings.xml located at a different location, you can define a env var named MVN_OPSand assign additional parameters (in this case --settings).

As an example, if you run the scanner as shown below, the dependency scanner will use the settings.xml specified by the env var.

export MVN_OPS="--settings /foo/bar/settings.xml"
xygeni scan [rest of flags]

Similarly , you can specify whatever other maven additional parameters you may need.

Gradle Analyzer

This analyzer fetches the dependencies for gradle projects. The analyzer executes gradlew -q dependencies or gradle -q dependencies if the gradlew does not exist and processes the result.

The analyzer checks if build.gradle or build.gradle.kts files exist in the source code. In this case, the analyzer executes the command:

gradle -q dependencies

If the project has no the gradlew file and you have not the gradle command installed, this analyzer will be disabled, and the dependencies from the build.gradle or build.gradle.kts files will not be resolved.

Npm Analyzer

This analyzer fetches the dependencies for Node projects using npm or yarn package managers. The analyzer uses yarn.lock, npm-shrinkwrap.json, package-lock.json or package.json ("lock" and "manifest") files.

These files are processed in the following order: yarn.lock > npm-shrinkwrap.json > package-lock.json > package.json. Package lock files are recommended for repeatable builds, as they have all packages and versions resolved in the dependency tree.

When no lock file is found, package.json is processed and the analyzer generates a yarn.lock file in a temporary directory by executing the command

yarn install --ignore-scripts --modules-folder ${TEMPDIR}/node_modules

If yarn command is not installed, the analyzer will try to install it in a temporary directory.

If no lock file is found and npm is not installed, then the analyzer will not be able to extract the dependencies. And node_modules directories are ignored by the analyzer.

With npm, it is important to have the lockfile in sync with the manifest. If not, an npm install from a user or the package may resolve a dependency to an unintended version. The npm clean-install (or npm ci for short) makes a clean install that also checks for consistency between the lockfile and the manifest.

Bower Analyzer

This analyzer fetches the dependencies for projects using bower package manager and bower.json manifests. The analyzer runs the command

bower list -j

If you have not installed bower, this analyzer will be disabled and the dependencies of the bower.json files will not be resolved.

All bower_components directories in the analyzed will be ignored.

Dotnet Analyzer

This analyzer fetches the dependencies for dotnet projects. To obtain this information, the analyzer uses project.assets.json manifests.

To generate these manifests, you should execute dotnet restore command. You can execute

dotnet restore -h|--help

The analyzed project will not have associated frameworks, but the rest of dependencies will have the associated framework. If a dependency is on two frameworks, it appears twice, once per framework. For example:

.NETFramework 4.6:Microsoft.Build.Tasks.Git:1.0.0
.NETStandard 2.0:Microsoft.Build.Tasks.Git:1.0.0

The Dependency Scanner does not execute dotnet restore command automatically.

Go Analyzer

Extract dependencies for Go modules, from go.mod files. The analyzer runs thego mod graph command.

If the go toolchain is not installed, the analyzer will be disabled and Go modules will not be analyzed.

Pip Analyzer

This analyzer fetches the dependencies for python projects. The analyzer uses the setup.py files to get information for the currently analyzed projects and its dependencies.

The analyzer executes thepipgrip library to get the dependencies tree, if the environment has not installed this library the analyzer tries to install pipgrip in a temporary directory to execute the command and after the directory will be deleted. The commands executed is:

pipgrip --tree --json

As a prerequisite, the packages must be installed. And in the case that pipgrip and pip are not installed, then this analyzer will be disabled.

Composer Analyzer

This analyzer fetches the dependencies for PHP projects. The analyzer uses the composer.json files to get information for the currently analyzed project and his dependencies.

The analyzer executes the commands:

# To get all dependencies with resolved version
composer show -f json

# To get the dependency tree
composer show -t -f json

The analyzer needs that the composer command is installed and the components analyzed have been installed to resolve the dependencies correctly.

Gem Analyzer

This analyzer fetches the dependencies for Ruby gem projects. The analyzer uses Gemfile.lock file to get information about the dependencies.

The ruby gem name for the current project is the directory name that contains the Gemfile.lock file.

You have more information about this .

to get help. You have more information about the dotnet restore command .

For further information about dependency management in the Go ecosystem, see .

Dependency Scanner
here
here
here
managing dependencies in Go