Dependency resolution and supported package manager files
This article covers the supported dependency files that are used during our package manager resolution step of the Unified Agent scan.
What is a dependency file?
Also commonly called or known as a packages file, manifest file, or Bill of Materials (BOM) file, a dependency file will contain various metadata relevant to your project. This can contain items such as the project description, the version of the project in a particular distribution, license information, and even configuration data. The most important information within these files, related to scanning with Mend, are your dependencies.
Package manager resolution step
During this step, the Unified Agent searches for the dependency files, like pom.xml, package.json, build.gradle, requirements.txt, packages.config, and others, depending on what package manager parameters you have enabled in your config. The Unified Agent then uses the relevant package manager commands to determine the dependencies in your project to prepare for dependency resolution when indexing against our database for vulnerabilities and compliance. Using the package manager resolution is the most accurate scan mode (compared to the flat file system scan) to identify the libraries in your project.
Supported dependency files
Note: Use of lock files is supported only when the associated package manager file is also included in your project (e.g. package.json with package-lock.json)
Package Manager | Language | Supported Dependency Files |
|---|---|---|
Java | pom.xml | |
Java, Kotlin | build.gradle, build.gradle.kts, gradle.lockfile, gradle.properties | |
Java | pom.xml, build.xml | |
Java | pom.xml, BUILD | |
JavaScript | package.json, package-lock.json, yarn.lock, pnpm-lock.yaml | |
JavaScript | bower.json | |
.NET, C# | .nuspec, packages.config, .csproj, project.assets.json, packages.lock.json | |
.NET, C# | .paket, paket.dependencies, paket.lock | |
Python | requirements.txt, pipfile.toml, pipfile.lock, setup.py, setup.cfg, environment.yml | |
Python | requirements.txt, pyproject.toml, poetry.lock | |
Python | requirements.txt, pyproject.toml (if using Pip with Conda), environment.yml | |
Golang (Go) | glide.lock, glide.yaml, gogradle.lock, Gopkg.lock, Godeps.lock, vendor.conf | |
Golang (Go) | go.mod, go.sum | |
Scala | dependencies.scala, build.scala, build.sbt | |
R | packrat.lock | |
PHP | composer.json, composer.lock | |
Ruby | Gemfile, Gemfile.lock | |
N/A | HTML | .js, .html |
Objective C, Swift | Podfile, Podfile.lock, package.swift, Cartfile | |
Rust | cargo.toml | |
Elixer, Erlang | mix.exs, mix.lock, rebar.config | |
Haskell | .cabal | |
OCaml | .opam, opam.lock |