Posted By: Hendy Chua & Pritesh Mehta
Today we released a new agent that supports scanning SBT, CocoaPods and Yarn projects, adding to the list of build systems and package managers that we already support. To get this feature users can simply update their agents (i.e. brew upgrade srcclr).
For an SBT project to be discovered by our agent, it must contain
build.sbt. The agent uses our SBT plugin to build the dependency graph of the project.
The plugin uses SBT’s dependency resolver to resolve the project’s dependencies and their transitive dependencies. Once resolved, it builds a graph with that information, starting with the direct dependencies. The graph is then sent back to the agent to be processed later.
For a CocoaPods project to be discovered by our agent, it must contain either
Podfile.lock. If the project contains only
Podfile, the agent will attempt to generate the lock file by running
pod install. The agent parses the lock file to get a list of the dependencies and their versions and to build the dependency graph.
For a Yarn project to be discovered by our agent, it must contain both
yarn.lock. By default when a project contains
package.json, the agent recognizes it as using NPM for its dependency management and will use the NPM dependency collector. To use Yarn as the dependency collector, you can specify it through the
--scan-collectors option. For example,
srcclr scan /my/project --scan-collectors yarn.
The agent parses
yarn.lock to get a list of the dependencies and their versions. By comparing the list with the dependencies declared in
package.json, the agent will be able to build the full dependency graph.
Like other package managers/build systems that support scopes, Yarn collector also supports it. By default, Yarn collector resolves all dependencies. You can limit the dependency resolution by setting
prod for production dependencies, or
dev for development dependencies in
srcclr.yml directives file. More information on the directives file can be found here.
We ran our new collectors by scanning open-source projects on Github that use either SBT, CocoaPods, or Yarn.
|Vulnerabilities/Project||Public CVEs||SourceClear Premium Data|
From these results we can see that most projects end up pulling in more dependencies than they declared because of the transitive dependencies. Often, these transitive dependencies are the ones that contain vulnerabilities. Most of the vulnerabilities are also not available in the CVE’s database. We are able to detect the transitives, public and non-public vulnerabilities, and also advise you on which are the safe versions of the libraries you are using so that you can update them and avoid including vulnerabilities in your software.
To learn more about how to scan, check out the SourceClear Command Line Agent doc.
We hope this functionality will give you and your team more visibility into vulnerabilities as you’re scanning your projects. As always, we’re here to help. Contact us, or email our helpful support team.