SourceClear scanning now supports SBT, CocoaPods and Yarn projects
oday we released a new agent that supports scanning SBT, CocoaPods and Yarn projects, adding to the list of build systems and package managers that we already support. To get this feature users can simply update their agents (i.e. brew upgrade srcclr).
SBT Projects
For an SBT project to be discovered by our agent, it must contain build.sbt. The agent uses our SBT plugin to build the dependency graph of the project.
The plugin uses SBT's dependency resolver to resolve the project's dependencies and their transitive dependencies. Once resolved, it builds a graph with that information, starting with the direct dependencies. The graph is then sent back to the agent to be processed later.
CocoaPods Projects
For a CocoaPods project to be discovered by our agent, it must contain either Podfile or Podfile.lock. If the project contains only Podfile, the agent will attempt to generate the lock file by running pod install. The agent parses the lock file to get a list of the dependencies and their versions and to build the dependency graph.
Yarn Projects
For a Yarn project to be discovered by our agent, it must contain both package.json and yarn.lock. By default when a project contains package.json, the agent recognizes it as using NPM for its dependency management and will use the NPM dependency collector. To use Yarn as the dependency collector, you can specify it through the --scan-collectors option. For example, srcclr scan /my/project --scan-collectors yarn.
The agent parses yarn.lock to get a list of the dependencies and their versions. By comparing the list with the dependencies declared in package.json, the agent will be able to build the full dependency graph.
Like other package managers/build systems that support scopes, Yarn collector also supports it. By default, Yarn collector resolves all dependencies. You can limit the dependency resolution by setting scope to prod for production dependencies, or dev for development dependencies in srcclr.yml directives file. More information on the directives file can be found here.
Results from scanning open-source projects
We ran our new collectors by scanning open-source projects on Github that use either SBT, CocoaPods, or Yarn.
| Total Scanned | Libraries/Project | Directs | Transitives | |
|---|---|---|---|---|
| SBT | 426 | 29.47 | 27% | 73% |
| CocoaPods | 130 | 14.42 | 49% | 51% |
| Yarn | 301 | 534.48 | 4% | 96% |
| Vulnerabilities/Project | Public CVEs | SourceClear Premium Data | |
|---|---|---|---|
| SBT | 2.54 | 41% | 59% |
| CocoaPods | 1.04 | 56% | 44% |
| Yarn | 5.13 | 4% | 96% |
From these results we can see that most projects end up pulling in more dependencies than they declared because of the transitive dependencies. Often, these transitive dependencies are the ones that contain vulnerabilities. Most of the vulnerabilities are also not available in the CVE's database. We are able to detect the transitives, public and non-public vulnerabilities, and also advise you on which are the safe versions of the libraries you are using so that you can update them and avoid including vulnerabilities in your software.
Start scanning SBT, CocoaPods, and Yarn projects today
To learn more about how to scan, check out the SourceClear Command Line Agent doc.
We hope this functionality will give you and your team more visibility into vulnerabilities as you're scanning your projects. As always, we're here to help. Contact us.
Related Posts
