Supported Languages and Package Managers
Checkmarx SCA uses the following methods to identify the 3rd party packages in your project:
File Analysis – Checkmarx SCA identifies all files in your project that may be part of a 3rd party package, and analyzes them in order to determine which packages are being used. This is done by comparing the hashes and metadata of the relevant files (e.g., .jar files for Java, .js files for JS) in the scanned project with the hashes and metadata of packages that are catalogued in our database. As part of this process, compressed files of supported types (.jar, .war, .ear, .zip) are extracted so that the files can be analyzed. This is applied recursively up to four levels of depth.
File Analysis is done for the supported languages/frameworks listed below, using the corresponding file types specified in the table.
Dependency Resolution - Checkmarx SCA uses package managers to resolve the dependencies against customer-defined or public repositories and extract the dependency trees.
Dependency Resolution is done using the supported package managers listed below and the corresponding manifest files specified in the table.
Supported Languages and Package Managers
Notice
If you are using Checkmarx SCA Resolver, then you need to install the relevant package managers locally. For installation info, see Installing Supported Package Managers for Resolver.
Java
| JVM Languages: Java, Kotlin, Android, Groovy, Scala Additional Frameworks: Struts, Spring Repository: Maven Central, Sonatype, Apache File Types: .jar | |||
Supported Package Managers | Exploitable Path | Supply Chain Security (SCS) | Manifest Files (Packages marked with | |
Maven |
|
|
| |
Gradle |
|
|
| |
Ivy |
|
| none | |
SBT |
|
|
| |
 | Languages/Frameworks: JavaScript, TypeScript, NodeJS, React, Angular, Apex TipApex is only supported when running the scan using Checkmarx SCA Resolver with the Repository: NPM File Types: .js | ||
Supported Package Managers | Exploitable Path | Supply Chain Security (SCS) | Manifest Files (Packages marked with |
NPM |
|
|
|
Yarn (and Yarn 2) |
|
|
|
Bower |
|
|
|
1] When a lock file is present in the project, SCA relies on the package manager to obtain the dependencies. Therefore, it is important to ensure that your lock file is kept up-to-date with any changes that have been made in the manifest file.
| Languages/Frameworks: C#, F#, .NET, .NET Core, WCF, WPF, ASP.NET, C++ Repository: NuGet File Types: .dll | |||
Supported Package Managers | Exploitable Path | Supply Chain Security (SCS) | Manifest Files (Packages marked with | |
NuGet |
|
|
| |
| Languages/Frameworks: Python, Django, Flask Repository: PyPi File Types: none | |||
Supported Package Managers | Exploitable Path | Supply Chain Security (SCS) | Manifest Files (Packages marked with | |
PIP |
|
|
| |
Setup.py |
|
| ||
Poetry |
|
|
| |
Setup.cfg |
|
| ||
| Languages/Frameworks: PHP, Dupal Repository: Packagist File Types: none | |||
Supported Package Managers | Exploitable Path | Supply Chain Security (SCS) | Manifest Files (Packages marked with | |
Composer |
|
|
| |
| Languages/Frameworks: Swift, Objective c Repository: GitHub File Types: none | |||
Supported Package Managers | Exploitable Path | Supply Chain Security (SCS) | Manifest Files (Packages marked with | |
SwiftPm |
|
|
| |
CocoaPods |
|
|
| |
Carthage |
|
|
TipAt least one | |
| Languages/Frameworks: Go Repository: Golang File Types: none | |||
Supported Package Managers | Exploitable Path | Supply Chain Security (SCS) | Manifest Files (Packages marked with | |
GoModules |
|
|
| |
| Languages/Frameworks: Ruby Repository: RubyGems File Types: none | |||
Supported Package Managers | Exploitable Path | Supply Chain Security (SCS) | Manifest Files (Packages marked with | |
RubyGems |
|
|
| |
Bundler |
|
| ||
| Languages/Frameworks: C, C++ Repository: GitHub, Conan, Central File Types: .cpp, .c, .h, .hpp, .a, .o, .so TipC++ is supported only for File Analysis (fingerprints), not for package resolution. | |||
Supported Package Managers | Exploitable Path | Supply Chain Security (SCS) | Manifest Files (Packages marked with | |
none |
|
| none | |
| Languages/Frameworks: Unity Repository:Unity Technologies, Needle-mirror, Open UPM File Types: none | |||
Supported Package Managers | Exploitable Path | Supply Chain Security (SCS) | Manifest Files (Packages marked with | |
none |
|
| manifest.json | |
Container Scans
Checkmarx SCA is capable of scanning Dockerfiles and container images as long as they are hosted in supported registries and they are used in supported ecosystems.
For more info about container scans, see Container Scans.
Supported Registries
Container scans run via SCA Resolver support scanning of images from any registry for which you can run the docker pull command, e.g., DockerHub, Amazon Elastic Container Registry (ECR), Google Container Registry (GCR), Quay, JFrog Container Registry (JCR) etc.
Supported Ecosystems
Debian (dpkg)
Alpine (apk)
C (conan)
C++ (conan)
Dotnet (deps.json)
Go (go.mod, Go binaries)
Java (jar, ear, war, par, sar, native-image)
JavaScript (npm, yarn)
PHP (composer)
Python (wheel, egg, poetry, requirements.txt)
Red Hat (rpm)
Ruby (gem)dpkg