OSS Dependency Map: Scan configuration for optimal results
Scan Preparation: Include dependency and lock files
Technology-wise, it is important to ensure that the selected source code folder also includes dependency and lock files. These files contain referenced dependencies as used by your application along with resolved versions. See below the list of supported package managers and corresponding files. Depending on the technology of the application you’re scanning, make sure the corresponding lock files are part of the scan scope.
– Maven (pom.xml, .m2 repository, see further instructions later in this article)
– Node (package-lock.json)
– Yarn (yarn.lock)
– Composer (composer.lock)
– Poetry (poetry.lock)
– Etc.
For information on supported package managers, please refer to this article.
Java/Maven Applications
Scanning Java applications built with Maven requires additional steps prior to running the scan with CAST Highlight’s Code Reader. You’ll have to run Maven on your sources in order to resolve dependency versions. Maven will create a .m2 folder with physical dependencies (.jar files) which will be needed for the Code Reader. Refer to this documentation for further assistance.
Scan Configuration & Options
Once source code preparation steps above have been done, you can now run the scan with CAST Highlight’s Code Reader. As you want transitive dependencies to be part of the result, you’ll have to use specific options of the Code Reader/CLI.
--includeAllDependencies
--ignoreDirectories node_modules
If your application is using Maven, add this option:
--mavenRepository <path_to_m2_folder>
$> java -jar HighlightAutomation.jar --sourceDir "C:\source" --workingDir "C\source\hlresults" --mavenRepository "C:\Users\<username>\.m2" --ignoreDirectories "node_modules" --includeAllDependencies --skipUpload