/apr 17, 2017

SourceClear scanning now supports SBT, CocoaPods and Yarn projects

By Hendy Chua

oday we released a new agent that supports scanning SBT, CocoaPods and Yarn projects, adding to the list of build systems and package managers that we already support. To get this feature users can simply update their agents (i.e. brew upgrade srcclr).

SBT Projects

For an SBT project to be discovered by our agent, it must contain build.sbt. The agent uses our SBT plugin to build the dependency graph of the project.

The plugin uses SBT's dependency resolver to resolve the project's dependencies and their transitive dependencies. Once resolved, it builds a graph with that information, starting with the direct dependencies. The graph is then sent back to the agent to be processed later.

CocoaPods Projects

For a CocoaPods project to be discovered by our agent, it must contain either Podfile or Podfile.lock. If the project contains only Podfile, the agent will attempt to generate the lock file by running pod install. The agent parses the lock file to get a list of the dependencies and their versions and to build the dependency graph.

Yarn Projects

For a Yarn project to be discovered by our agent, it must contain both package.json and yarn.lock. By default when a project contains package.json, the agent recognizes it as using NPM for its dependency management and will use the NPM dependency collector. To use Yarn as the dependency collector, you can specify it through the --scan-collectors option. For example, srcclr scan /my/project --scan-collectors yarn.

The agent parses yarn.lock to get a list of the dependencies and their versions. By comparing the list with the dependencies declared in package.json, the agent will be able to build the full dependency graph.

Like other package managers/build systems that support scopes, Yarn collector also supports it. By default, Yarn collector resolves all dependencies. You can limit the dependency resolution by setting scope to prod for production dependencies, or dev for development dependencies in srcclr.yml directives file. More information on the directives file can be found here.

Results from scanning open-source projects

We ran our new collectors by scanning open-source projects on Github that use either SBT, CocoaPods, or Yarn.

  Total Scanned Libraries/Project Directs Transitives
SBT 426 29.47 27% 73%
CocoaPods 130 14.42 49% 51%
Yarn 301 534.48 4% 96%
  Vulnerabilities/Project Public CVEs SourceClear Premium Data
SBT 2.54 41% 59%
CocoaPods 1.04 56% 44%
Yarn 5.13 4% 96%

From these results we can see that most projects end up pulling in more dependencies than they declared because of the transitive dependencies. Often, these transitive dependencies are the ones that contain vulnerabilities. Most of the vulnerabilities are also not available in the CVE's database. We are able to detect the transitives, public and non-public vulnerabilities, and also advise you on which are the safe versions of the libraries you are using so that you can update them and avoid including vulnerabilities in your software.

Start scanning SBT, CocoaPods, and Yarn projects today

To learn more about how to scan, check out the SourceClear Command Line Agent doc.

We hope this functionality will give you and your team more visibility into vulnerabilities as you're scanning your projects. As always, we're here to help. Contact us.

Related Posts

By Hendy Chua

Hendy is part of the CA  Veracode SCA team, building software that scans and analyses software composition of projects.