Skip to main content

Supported Languages and Package Managers

Introduction

Checkmarx SCA uses the following methods to identify the 3rd party packages in your project:

  1. File Analysis – Checkmarx SCA identifies all files in your project that may be part of a 3rd party package, and analyzes them in order to determine which packages are being used. This is done by comparing the hashes and metadata of the relevant files (e.g., .jar files for Java, .js files for JS) in the scanned project with the hashes and metadata of packages that are catalogued in our database.

  2. Dependency Resolution - Checkmarx SCA uses package managers to resolve the dependencies against customer-defined or public repositories and extract the dependency trees.

Supported Languages and Package Managers

  • File Analysis is done for the supported languages/frameworks listed below, using the corresponding file types specified in the table.

  • Dependency Resolution is done using the supported package managers listed below and the corresponding manifest files specified in the table.

Notice

If you are using Checkmarx SCA Resolver, then you need to install the relevant package managers locally. For installation info, see Installing Supported Package Managers for Resolver.

Java

download.png

JVM Languages: Java, Kotlin, Android, Groovy, Scala

Additional Frameworks: Struts, Spring

Repository: Maven Central, Sonatype, Apache

File Types: .jar

Supported Package Managers

Exploitable Path

Supply Chain Security (SCS)

Manifest Files (Packages marked with (blue star) are required)

Maven

check-3278__2_.png

check-3278__2_.png

pom.xml

Gradle

check-3278__2_.png

x-10366__1_.png

build.gradle , build.gradle.kts

Ivy

check-3278__2_.png

x-10366__1_.png

none

SBT

x-10366__1_.png

x-10366__1_.png

build.sbt

6413713542.png

Languages/Frameworks: JavaScript, TypeScript, React, Angular, Apex

Tip

Apex is only supported when running the scan using Checkmarx SCA Resolver with the --extract-archives resource argument, see Checkmarx SCA Resolver Configuration Arguments.

Repository: NPM

File Types: .js

Supported Package Managers

Exploitable Path

Supply Chain Security (SCS)

Manifest Files (Packages marked with (blue star) are required)

NPM

check-3278__2_.png

check-3278__2_.png

package.json(blue star) , package-lock.json

Yarn (and Yarn 2)

check-3278__2_.png

check-3278__2_.png

package.json(blue star) , yarn.lock(blue star)

Bower

check-3278__2_.png

check-3278__2_.png

bower.json

6414401614.png

Languages/Frameworks: C#, F#, .NET, .NET Core, WCF, WPF, ASP.NET, C++

Repository: NuGet

File Types: .dll

Supported Package Managers

Exploitable Path

Supply Chain Security (SCS)

Manifest Files (Packages marked with (blue star) are required)

NuGet

x-10366__1_.png

check-3278__2_.png

*.csproj , packages.config

6414073972.png

Languages/Frameworks: Python, Django, Flask

Repository: PyPi

File Types: none

Supported Package Managers

Exploitable Path

Supply Chain Security (SCS)

Manifest Files (Packages marked with (blue star) are required)

PIP

check-3278__2_.png

check-3278__2_.png

requirements.txt, requirements-*.txt, requirement.txt, requirement-*.txt

Setup.py

check-3278__2_.png

check-3278__2_.png

Poetry

check-3278__2_.png

check-3278__2_.png

pyproject.toml(blue star), poetry.lock

Setup.cfg

check-3278__2_.png

check-3278__2_.png

6412632402.png

Languages/Frameworks: PHP, Dupal

Repository: Packagist

File Types: none

Supported Package Managers

Exploitable Path

Supply Chain Security (SCS)

Manifest Files (Packages marked with (blue star) are required)

Composer

x-10366__1_.png

check-3278__2_.png

composer.json(blue star) , composer.lock

6413779054.png

Languages/Frameworks: Swift, Objective c

Repository: GitHub

File Types: none

Supported Package Managers

Exploitable Path

Supply Chain Security (SCS)

Manifest Files (Packages marked with (blue star) are required)

SwiftPm

x-10366__1_.png

check-3278__2_.png

Package.swift

CocoaPods

x-10366__1_.png

x-10366__1_.png

Podfile(blue star), Podfile.lock

Carthage

x-10366__1_.png

x-10366__1_.png

Cartfile(blue star), Cartfile.private, Cartfile.resolved

Tip

At least one .private or .resolved file must be included.

6413877449.png

Languages/Frameworks: Go

Repository: Golang

File Types: none

Supported Package Managers

Exploitable Path

Supply Chain Security (SCS)

Manifest Files (Packages marked with (blue star) are required)

GoModules

x-10366__1_.png

check-3278__2_.png

go.mod(blue star), go.sum

ruby.png

Languages/Frameworks: Ruby

Repository: RubyGems

File Types: none

Supported Package Managers

Exploitable Path

Supply Chain Security (SCS)

Manifest Files (Packages marked with (blue star) are required)

RubyGems

x-10366__1_.png

check-3278__2_.png

Gemfile(blue star), Gemfile.lock

Bundler

x-10366__1_.png

x-10366__1_.png

download__1_.png

Languages/Frameworks: C, C++

Repository: GitHub, Conan, Central

File Types: .cpp, .c, .h, .hpp, .a, .o, .so

Tip

C++ is supported only for File Analysis (fingerprints), not for package resolution.

Supported Package Managers

Exploitable Path

Supply Chain Security (SCS)

Manifest Files (Packages marked with (blue star) are required)

none

x-10366__1_.png

x-10366__1_.png

none