Detectors 6.8.0
The following sections describe detectors used by Synopsys Detect.
About Detectors used by Synopsys Detect
Synopsys Detect uses detectors to find and extract dependencies from all supported package managers.
Each package manager ecosystem is assigned a detector type. Each detector type may have multiple methods used to extract dependencies.
Detector Search
Detectors first check to see if they apply to your project by looking for hints such as files that exist in your project directory or properties you have set.
By default, detectors only search the project directory. In some cases, such as when your project contains subprojects, or when package manager files reside in sub-directories, you may need to instruct Synopsys Detect to search sub-directories by increasing the detector search depth. For more information, refer to detector search depth.
Detectors then check that your environment is extractable, meaning you have all the relevant executables such as NPM or a Gradle wrapper, and all relevant downloads are present or available, such as the Docker or NuGet inspector.
Inspectors are used by detectors when the package manager requires an integration or embedded plugin to work. For example, Gradle uses an inspector as a plugin that executes a custom task. Most detectors do not require an inspector.
Detectors do extraction to find your dependencies, which might require such actions as running executables, performing builds, parsing files, and communicating with web services.
Build detectors versus buildless detectors
The recommended way to run Synopsys Detect is as a post-build step so that it has access to both build artifacts and the build tools (package managers and others) used to build the project. Synopsys Detect's build detectors work in this environment and produce the most accurate results. By default, Synopsys Detect runs build detectors.
If you can't build your project, you may still be able to use Synopsys Detect's buildless detectors. The results from buildless detectors may not be as accurate as the results from build detectors, but buildless detectors can run without accessing the tools required to build the project. You can choose to run buildless detectors using the buildless mode property.
The following tables show which detectors run in the default (build) mode, and which detectors run in buildless mode. There is some overlap across the two lists.
Build detectors
By default, Synopsys Detect requires that you are able to build the project you are scanning, which enables Synopsys Detect to return the most accurate results possible.
Build detectors can communicate with package managers and run commands such as mvn dependency:tree, and/or inspectors; such as the Gradle inspector to derive dependency information.
All build detectors don't run external commands or communicate with external systems but all build detectors return accurate results.
Each applicable detector's required executables shown in the following table must be present and findable on your system. Synopsys Detect uses the system PATH to find executables. In some cases, as an alternative to the system PATH, the location of an executable can be provided through a property.
Type | Name | Language | Forge | Requirements |
---|---|---|---|---|
BITBAKE | Bitbake | various | YOCTO | Properties: Package names File: build env script. Executable: bash |
CARGO | Cargo | Rust | crates | Files: Cargo.lock, Cargo.toml |
CLANG | Clang | C or C++ | Derived from the Linux distribution. | File: compile_commands.json. Executable: Linux package manager. |
COCOAPODS | Pod Lock | Objective C | COCOAPODS and NPMJS | Files: Podfile.lock |
CONDA | Conda Cli | Python | Anaconda | File: environment.yml. Executable: conda. |
CONAN | Conan CLI | C/C++ | conan | Files: conanfile.txt or conanfile.py. Executable: conan. |
CONAN | Conan Lockfile | C/C++ | conan | Files: conan.lock. |
CPAN | Cpan Cli | Perl | CPAN | File: Makefile.PL. Executable: cpan. |
CRAN | Packrat Lock | R | CRAN | File: packrat.lock. |
GIT | Git Cli | various | N/A | Directory: .git. Executable: git. |
GIT | Git Parse | various | N/A | Files: .git/config, .git/HEAD. |
GO_DEP | Go Lock | Golang | GitHub | File: Gopkg.lock. |
GO_GRADLE | Go Gradle | Golang | GitHub | File: gogradle.lock. |
GO_MOD | Go Mod Cli | Golang | Go Modules | File: go.mod. Executable: go. |
GO_VENDOR | Go Vendor | Golang | GitHub | File: vendor/vendor.json. |
GO_VNDR | Go Vndr | Golang | GitHub | File: vendor.conf. |
GRADLE | Gradle Inspector | various | Maven Central | File: build.gradle or build.gradle.kts. Executable: gradlew or gradle. |
HEX | Rebar | Erlang | Hex | File: rebar.config. Executable: rebar3. |
LERNA | Lerna | Node JS | npmjs | File: package.json, and one of the following: package-lock.json, npm-shrinkwrap.json, yarn.lock. |
MAVEN | Maven Pom | various | Maven Central | File: pom.xml. Executable: mvnw or mvn. |
MAVEN | Maven Wrapper | various | Maven Central | File: pom.groovy. Executable: mvnw or mvn. |
NPM | Npm Cli | Node JS | npmjs | Files: node_modules, package.json. Executable: npm. |
NPM | Package Lock | Node JS | npmjs | File: package-lock.json. Optionally for better results: package.json also. |
NPM | Shrinkwrap | Node JS | npmjs | File: npm-shrinkwrap.json. Optionally for better results: package.json also. |
NUGET | Project | C# | File: a project file with one of the following extensions: .csproj, .fsproj, .vbproj, .asaproj, .dcproj, .shproj, .ccproj, .sfproj, .njsproj, .vcxproj, .vcproj, .xproj, .pyproj, .hiveproj, .pigproj, .jsproj, .usqlproj, .deployproj, .msbuildproj, .sqlproj, .dbproj, .rproj | |
NUGET | Solution | C# | File: a solution file with a .sln extension. | |
PACKAGIST | Composer | PHP | Files: composer.lock, composer.json. | |
PEAR | Pear | PHP | Pear | Files: package.xml. Executable: pear. |
PIP | Pip Env | Python | PyPi | Files: Pipfile or Pipfile.lock. Executables: python or python3, and pipenv. |
PIP | Pip Inspector | Python | Pypi | A setup.py file, or one or more requirements.txt files. Executables: python and pip, or python3 and pip3. |
PIP | Poetry | Python | pypi | Files: Poetry.lock, pyproject.toml |
RUBYGEMS | Gemlock | Ruby | RubyGems | File: Gemfile.lock. |
SBT | Sbt Resolution Cache | Scala | Maven Central | File: build.sbt. |
SWIFT | Swift | Swift | File: Package.swift. Executables: swift. | |
YARN | Yarn Lock | Node JS | npmjs | Files: yarn.lock and package.json. |
Â
Buildless detectors
When in buildless mode, only detectors that do not communicate with external systems are run. Typically these detectors parse available package manager files such as pom.xml to derive dependency information.
Synopsys does not recommend running in buildless mode because the results are not guaranteed to be accurate, for example, Synopsys Detect may report dependencies with fuzzy versions.
However, if the project can't be built, buildless mode still allows some insight into the dependencies of a project.
Type | Name | Language | Forge | Requirements |
---|
Type | Name | Language | Forge | Requirements |
---|---|---|---|---|
CARGO | Cargo | Rust | crates | Files: Cargo.lock, Cargo.toml |
COCOAPODS | Pod Lock | Objective C | COCOAPODS and NPMJS | Files: Podfile.lock |
GIT | Git Parse | various | N/A | Files: .git/config, .git/HEAD. |
GO_DEP | Go Lock | Golang | GitHub | File: Gopkg.lock. |
GO_GRADLE | Go Gradle | Golang | GitHub | File: gogradle.lock. |
GO_VENDOR | Go Vendor | Golang | GitHub | File: vendor/vendor.json. |
GO_VNDR | Go Vndr | Golang | GitHub | File: vendor.conf. |
GRADLE | Gradle Parse | various | Maven Central | File: build.gradle. |
MAVEN | Maven Pom Parse | various | Maven Central | File: pom.xml. |
NPM | Package Json Parse | Node JS | npmjs | File: package.json. |
NPM | Package Lock | Node JS | npmjs | File: package-lock.json. Optionally for better results: package.json also. |
NPM | Shrinkwrap | Node JS | npmjs | File: npm-shrinkwrap.json. Optionally for better results: package.json also. |
PACKAGIST | Composer | PHP | Files: composer.lock, composer.json. | |
PACKAGIST | Packrat Lock | R | CRAN | File: packrat.lock. |
PIP | Poetry | Python | pypi | Files: Poetry.lock, pyproject.toml |
RUBYGEMS | Gemlock | Ruby | RubyGems | File: Gemfile.lock. |
RUBYGEMS | Gemspec | Ruby | RubyGems | File: A gemspec file (with .gemspec extension). |
SBT | Sbt Resolution Cache | Scala | Maven Central | File: build.sbt. |
YARN | Yarn Lock | Node JS | npmjs | Files: yarn.lock and package.json. |
©2018 Synopsys, Inc. All Rights Reserved