Automated Dependency Discovery & Supported Package Managers

During code scan of your applications, Highlight automatically detects application dependencies to aggregate this data into CAST Highlight’s Software Composition dashboards. Find below the list of the dependency management tools we support so far.

Dependency discovery through dependency files and package managers

CAST Highlight retrieves and references other framework and library dependencies through the analysis of dependency & requirement configuration files, such as pom.xml (Java/Maven), .json (Javascript), and .vcproj (C#).

Currently supported dependency management tools & files:

  • Ant (build.xml)
  • Composer (composer.json, composer.lock)
  • Ruby/Gemfile (gemfile.lock)
  • Go (Go.mod, Go.sum)
  • Gradle (build.gradle, dependencies.gradle, build.gradle.kts)
  • Maven (pom.xml)
  • NPM (package.json and package-lock.json v1, v2, v3)
  • Swift (package.swift, package.resolved)
  • Python (requirements.txt,, poetry.json, poetry.lock)
  • R (require(), library())
  • Ruby (Gemfile.lock)
  • Visual Studio (.vcproj, .csproj)
  • Yarn (yarn.lock)

Package Manager Technology Supported Files Detail
Ant Java build.xml All dependencies are extracted
Composer PHP composer.json, composer.lock All dependencies are extracted. If composer.lock is present during the scan, lock versions will be retained for the extracted dependencies from composer.json files
Gem Ruby gemfile.lock All dependencies are extracted
Go Module Go go.mod, go.sum All dependencies are extracted from go.mod, except if go.sum is present during the scan. All dependencies are extracted from go.sum.
Gradle Java, Kotlin, Groovy, Scala build.gradle, dependencies.gradle, settings.gradle All dependencies are extracted except ‘test’ dependencies. If versions of extracted components are defined in settings.gradle, these versions will be retained.
Maven Java pom.xml All dependency scopes are extracted except ‘test’ dependencies. Dependencies from <dependencyManagement> are not taken into account. Component versions found within <dependencyManagement> are used to resolve versions of components found within <dependencies>
NPM JavaScript package.json, package-lock.json Dependency extraction:

  • devDependencies are not extracted
  • By default, node_modules folders are excluded from the scan, except if the option –includeAllDependencies is passed
  • By default,only dependencies found in package.json are extracted. Dependencies found in package-lock.json will be extracted only if the option –includeAllDependencies is passed


Dependency version resolution:

  • package.json: All dependencies except devDependencies are extracted. If package-lock.json or yarn.lock are present during the scan, yarn/lock versions will be retained for the extracted dependencies from package.json files.
Python/Poetry Python poetry.lock, pyproject.toml, requirements.txt, All dependencies are extracted from poetry.lock if present during the scan, dependencies from other files (requirements.txt, pyproject.toml, etc.) are ignored. If poetry.lock is not found, all dependencies from other dependency files (requirements.txt,, etc.) are extracted.
R R <code> All dependencies are extracted
Swift Packages Swift Package.swift, Package.resolved All dependencies are extracted
Visual Studio VB/VB.Net, C# .vcproj All dependencies are extracted. For version resolution, CAST Highlight will retain the version specified in HintPath if present.
Yarn JavaScript yarn.lock All dependencies are extracted (you’ll have to use the –includeAllDependencies option during the scan in order to extract all dependencies including transitive dependencies. Otherwise, only dependencies from package.json files will be taken into account).