Automated Dependency Discovery & Supported Package Managers
During code scan of your applications, Highlight automatically detects application dependencies to aggregate this data into CAST Highlight’s Software Composition dashboards. Find below the list of the dependency management tools we support so far.
Dependency discovery through dependency files and package managers
CAST Highlight retrieves and references other framework and library dependencies through the analysis of dependency & requirement configuration files, such as pom.xml (Java/Maven), .json (Javascript), and .vcproj (C#).
Currently supported dependency management tools & files:
- Ant (build.xml)
- CMake (CMakeLists.txt)
- Composer (composer.json, composer.lock)
- Ruby/Gemfile (gemfile.lock)
- Go (Go.mod, Go.sum)
- Gradle (build.gradle, dependencies.gradle, build.gradle.kts)
- Maven (pom.xml)
- NPM (package.json and package-lock.json v1, v2, v3)
- Swift (package.swift, package.resolved)
- Python (requirements.txt, setup.py, poetry.json, poetry.lock)
- R (require(), library())
- Ruby (Gemfile.lock)
- Visual Studio (.vcproj, .csproj)
- Yarn (yarn.lock)
| Package Manager | Technology | Supported Files | Detail |
|---|---|---|---|
| Ant | Java | build.xml | All dependencies are extracted |
| CMake | C/C++ | CMakeLists.txt | Libraries are extracted when found in find_package() of CMakeLists.txt files (recursively). |
| Composer | PHP | composer.json, composer.lock | All dependencies are extracted. If composer.lock is present during the scan, lock versions will be retained for the extracted dependencies from composer.json files |
| Conan | C/C++, Python | conan.lock, conan.txt, conanfile.py | All dependencies are extracted. If conan.lock is present during the scan, lock versions will be retained for the extracted dependencies from conan.txt or conanfile.py |
| Gem | Ruby | gemfile.lock | All dependencies are extracted |
| Go Module | Go | go.mod, go.sum | All dependencies are extracted from go.mod, except if go.sum is present during the scan. All dependencies are extracted from go.sum. |
| Gradle | Java, Kotlin, Groovy, Scala | build.gradle, dependencies.gradle, settings.gradle | All dependencies are extracted except ‘test’ dependencies. If versions of extracted components are defined in settings.gradle, these versions will be retained. |
| Maven | Java | pom.xml | All dependency scopes are extracted except ‘test’ dependencies. Dependencies from <dependencyManagement> are not taken into account. Component versions found within <dependencyManagement> are used to resolve versions of components found within <dependencies> |
| NPM | JavaScript | package.json, package-lock.json | Dependency extraction:
Dependency version resolution:
|
| Python/Poetry | Python | poetry.lock, pyproject.toml, requirements.txt, setup.py | All dependencies are extracted from poetry.lock if present during the scan, dependencies from other files (requirements.txt, pyproject.toml, etc.) are ignored. If poetry.lock is not found, all dependencies from other dependency files (requirements.txt, setup.py, etc.) are extracted. |
| R | R | <code> | All dependencies are extracted |
| Swift Packages | Swift | Package.swift, Package.resolved | All dependencies are extracted |
| Visual Studio | VB/VB.Net, C# | .vcproj | All dependencies are extracted. For version resolution, CAST Highlight will retain the version specified in HintPath if present. |
| Yarn | JavaScript | yarn.lock | All dependencies are extracted (you’ll have to use the –includeAllDependencies option during the scan in order to extract all dependencies including transitive dependencies. Otherwise, only dependencies from package.json files will be taken into account). |