Detectors 6.8.0

The following sections describe detectors used by Synopsys Detect.

About Detectors used by Synopsys Detect

Synopsys Detect uses detectors to find and extract dependencies from all supported package managers.

Each package manager ecosystem is assigned a detector type. Each detector type may have multiple methods used to extract dependencies.

Detector Search

Detectors first check to see if they apply to your project by looking for hints such as files that exist in your project directory or properties you have set.

By default, detectors only search the project directory. In some cases, such as when your project contains subprojects, or when package manager files reside in sub-directories, you may need to instruct Synopsys Detect to search sub-directories by increasing the detector search depth. For more information, refer to detector search depth.

Detectors then check that your environment is extractable, meaning you have all the relevant executables such as NPM or a Gradle wrapper, and all relevant downloads are present or available, such as the Docker or NuGet inspector.

Inspectors are used by detectors when the package manager requires an integration or embedded plugin to work. For example, Gradle uses an inspector as a plugin that executes a custom task. Most detectors do not require an inspector.

Detectors do extraction to find your dependencies, which might require such actions as running executables, performing builds, parsing files, and communicating with web services.

Build detectors versus buildless detectors

The recommended way to run Synopsys Detect is as a post-build step so that it has access to both build artifacts and the build tools (package managers and others) used to build the project. Synopsys Detect's build detectors work in this environment and produce the most accurate results. By default, Synopsys Detect runs build detectors.

If you can't build your project, you may still be able to use Synopsys Detect's buildless detectors. The results from buildless detectors may not be as accurate as the results from build detectors, but buildless detectors can run without accessing the tools required to build the project. You can choose to run buildless detectors using the buildless mode property.

The following tables show which detectors run in the default (build) mode, and which detectors run in buildless mode. There is some overlap across the two lists.

Build detectors

By default, Synopsys Detect requires that you are able to build the project you are scanning, which enables Synopsys Detect to return the most accurate results possible.
Build detectors can communicate with package managers and run commands such as mvn dependency:tree, and/or inspectors; such as the Gradle inspector to derive dependency information.

All build detectors don't run external commands or communicate with external systems but all build detectors return accurate results.

Each applicable detector's required executables shown in the following table must be present and findable on your system. Synopsys Detect uses the system PATH to find executables. In some cases, as an alternative to the system PATH, the location of an executable can be provided through a property.

Type	Name	Language	Forge	Requirements

Type	Name	Language	Forge	Requirements
BITBAKE	Bitbake	various	YOCTO	Properties: Package names File: build env script. Executable: bash
CARGO	Cargo	Rust	crates	Files: Cargo.lock, Cargo.toml
CLANG	Clang	C or C++	Derived from the Linux distribution.	File: compile_commands.json. Executable: Linux package manager.
COCOAPODS	Pod Lock	Objective C	COCOAPODS and NPMJS	Files: Podfile.lock
CONDA	Conda Cli	Python	Anaconda	File: environment.yml. Executable: conda.
CONAN	Conan CLI	C/C++	conan	Files: conanfile.txt or conanfile.py. Executable: conan.
CONAN	Conan Lockfile	C/C++	conan	Files: conan.lock.
CPAN	Cpan Cli	Perl	CPAN	File: Makefile.PL. Executable: cpan.
CRAN	Packrat Lock	R	CRAN	File: packrat.lock.
GIT	Git Cli	various	N/A	Directory: .git. Executable: git.
GIT	Git Parse	various	N/A	Files: .git/config, .git/HEAD.
GO_DEP	Go Lock	Golang	GitHub	File: Gopkg.lock.
GO_GRADLE	Go Gradle	Golang	GitHub	File: gogradle.lock.
GO_MOD	Go Mod Cli	Golang	Go Modules	File: go.mod. Executable: go.
GO_VENDOR	Go Vendor	Golang	GitHub	File: vendor/vendor.json.
GO_VNDR	Go Vndr	Golang	GitHub	File: vendor.conf.
GRADLE	Gradle Inspector	various	Maven Central	File: build.gradle or build.gradle.kts. Executable: gradlew or gradle.
HEX	Rebar	Erlang	Hex	File: rebar.config. Executable: rebar3.
LERNA	Lerna	Node JS	npmjs	File: package.json, and one of the following: package-lock.json, npm-shrinkwrap.json, yarn.lock.
MAVEN	Maven Pom	various	Maven Central	File: pom.xml. Executable: mvnw or mvn.
MAVEN	Maven Wrapper	various	Maven Central	File: pom.groovy. Executable: mvnw or mvn.
NPM	Npm Cli	Node JS	npmjs	Files: node_modules, package.json. Executable: npm.
NPM	Package Lock	Node JS	npmjs	File: package-lock.json. Optionally for better results: package.json also.
NPM	Shrinkwrap	Node JS	npmjs	File: npm-shrinkwrap.json. Optionally for better results: package.json also.
NUGET	Project	C#	NuGet.org	File: a project file with one of the following extensions: .csproj, .fsproj, .vbproj, .asaproj, .dcproj, .shproj, .ccproj, .sfproj, .njsproj, .vcxproj, .vcproj, .xproj, .pyproj, .hiveproj, .pigproj, .jsproj, .usqlproj, .deployproj, .msbuildproj, .sqlproj, .dbproj, .rproj
NUGET	Solution	C#	NuGet.org	File: a solution file with a .sln extension.
PACKAGIST	Composer	PHP	Packagist.org	Files: composer.lock, composer.json.
PEAR	Pear	PHP	Pear	Files: package.xml. Executable: pear.
PIP	Pip Env	Python	PyPi	Files: Pipfile or Pipfile.lock. Executables: python or python3, and pipenv.
PIP	Pip Inspector	Python	Pypi	A setup.py file, or one or more requirements.txt files. Executables: python and pip, or python3 and pip3.
PIP	Poetry	Python	pypi	Files: Poetry.lock, pyproject.toml
RUBYGEMS	Gemlock	Ruby	RubyGems	File: Gemfile.lock.
SBT	Sbt Resolution Cache	Scala	Maven Central	File: build.sbt.
SWIFT	Swift	Swift	Swift.org	File: Package.swift. Executables: swift.
YARN	Yarn Lock	Node JS	npmjs	Files: yarn.lock and package.json.

Buildless detectors

When in buildless mode, only detectors that do not communicate with external systems are run. Typically these detectors parse available package manager files such as pom.xml to derive dependency information.

Synopsys does not recommend running in buildless mode because the results are not guaranteed to be accurate, for example, Synopsys Detect may report dependencies with fuzzy versions.
However, if the project can't be built, buildless mode still allows some insight into the dependencies of a project.

Type	Name	Language	Forge	Requirements

Type	Name	Language	Forge	Requirements

Type	Name	Language	Forge	Requirements

Type	Name	Language	Forge	Requirements
CARGO	Cargo	Rust	crates	Files: Cargo.lock, Cargo.toml
COCOAPODS	Pod Lock	Objective C	COCOAPODS and NPMJS	Files: Podfile.lock
GIT	Git Parse	various	N/A	Files: .git/config, .git/HEAD.
GO_DEP	Go Lock	Golang	GitHub	File: Gopkg.lock.
GO_GRADLE	Go Gradle	Golang	GitHub	File: gogradle.lock.
GO_VENDOR	Go Vendor	Golang	GitHub	File: vendor/vendor.json.
GO_VNDR	Go Vndr	Golang	GitHub	File: vendor.conf.
GRADLE	Gradle Parse	various	Maven Central	File: build.gradle.
MAVEN	Maven Pom Parse	various	Maven Central	File: pom.xml.
NPM	Package Json Parse	Node JS	npmjs	File: package.json.
NPM	Package Lock	Node JS	npmjs	File: package-lock.json. Optionally for better results: package.json also.
NPM	Shrinkwrap	Node JS	npmjs	File: npm-shrinkwrap.json. Optionally for better results: package.json also.
PACKAGIST	Composer	PHP	Packagist.org	Files: composer.lock, composer.json.
PACKAGIST	Packrat Lock	R	CRAN	File: packrat.lock.
PIP	Poetry	Python	pypi	Files: Poetry.lock, pyproject.toml
RUBYGEMS	Gemlock	Ruby	RubyGems	File: Gemfile.lock.
RUBYGEMS	Gemspec	Ruby	RubyGems	File: A gemspec file (with .gemspec extension).
SBT	Sbt Resolution Cache	Scala	Maven Central	File: build.sbt.
YARN	Yarn Lock	Node JS	npmjs	Files: yarn.lock and package.json.