Skip to main content

Supported Languages and Package Managers

Introduction

Checkmarx SCA uses the following methods to identify the 3rd party packages in your project:

  1. File Analysis – Checkmarx SCA identifies all files in your project that may be part of a 3rd party package, and analyzes them in order to determine which packages are being used. This is done by comparing the hashes and metadata of the relevant files (e.g., .jar files for Java, .js files for JS) in the scanned project with the hashes and metadata of packages that are catalogued in our database.

  2. Dependency Resolution - Checkmarx SCA uses package managers to resolve the dependencies against customer-defined or public repositories and extract the dependency trees.

Supported Languages and Package Managers

  • File Analysis is done for the supported languages/frameworks listed below, using the corresponding file types specified in the table.

  • Dependency Resolution is done using the supported package managers listed below and the corresponding manifest files specified in the table.

Notice

If you are using Checkmarx SCA Resolver then you need to install the relevant package managers locally. For installation info, see Installing Supported Package Managers for Resolver.

Ecosystem/ Platform

Language/ Framework

Package Manager

Supported PMs for Exploitable Path

Supported PMs for Supply Chain Security (SCS)

Manifest Files (Packages marked with (blue star) are required)

Repository

File Types (Detected by fingerprint SHA-1)

download.png
  • Java

  • Kotlin

  • Android

  • Groovy

  • Struts

  • Spring

  • Maven

  • Gradle

  • Ivy

  • Maven

  • Gradle

  • Ivy

Maven

  • Maven: pom.xml

  • Gradle: build.gradle , build.gradle.kts

Central Repository

.jar

  • Scala

  • SBT

x-10366__1_.png

x-10366__1_.png

build.sbt

6413713542.png
  • Javascript

  • TypeScript

  • React

  • Angular

  • Apex1]

  • NPM

  • Yarn (and Yarn 2)

  • Bower

  • NPM

  • Yarn (and Yarn 2)

  • Bower

NPM

  • NPM: package.json(blue star) , package-lock.json

  • Yarn: package.json(blue star) , yarn.lock(blue star)

  • Bower: bower.json

NPM

.js

6414401614.png
  • C#

  • F#

  • .NET

  • .NET Core

  • WCF

  • WPF

  • ASP.NET

  • C++

  • NuGet

x-10366__1_.png

NuGet

*.csproj , packages.config

NuGet

.dll

6414073972.png
  • Python

  • Django

  • Flask

  • PIP

  • Setup.py

  • Poetry

  • Setup.cfg

  • PIP

  • Setup.py

  • Poetry

  • Setup.cfg

PyPi

  • PIP: requirements.txt, requirements-*.txt, requirement.txt, requirement-*.txt

  • Poetry: pyproject.toml (blue star), poetry.lock

PyPI

none

6412632402.png
  • PHP

  • Drupal

  • Composer

x-10366__1_.png

Packagist

composer.json(blue star) , composer.lock

Packagist

none

6413779054.png
  • Swift

  • Objective c

  • SwiftPm

  • CocoaPods

  • Carthage

x-10366__1_.png

Swift

  • Carthage: Cartfile(blue star), Cartfile.private, Cartfile.resolved

    Tip

    At least one .private or .resolved file must be included.

  • SwiftPm: Package.swift

  • CocoaPods: Podfile(blue star), Podfile.lock

GitHub

none

6413877449.png
  • Go

  • GoModules

x-10366__1_.png

Go

go.mod(blue star), go.sum

Golang

none

ruby.png
  • Ruby

  • RubyGems

  • Bundler

x-10366__1_.png

RubyGems

Gemfile(blue star), Gemfile.lock

RubyGems

none

download__1_.png 2]

  • C

  • C++

none

x-10366__1_.png

x-10366__1_.png

none

GitHub, Conan Central

.cpp, .c, .h, .hpp, .a, .o, .so

1] Apex is only supported when running the scan using Checkmarx SCA Resolver with the --extract-archives resource argument, see Checkmarx SCA Resolver Configuration Arguments.Checkmarx SCA Resolver Configuration Arguments

2] C++ is supported only for File Analysis (fingerprints), not for package resolution.