Scala - SBT

OpenText Core SCA now supports tracking Scala dependencies through the following methods:

• SBT, by utilizing pom.xml files

• file fingerprinting, to find dependencies not specified in manifest files

SBT

OpenText Core SCA does not directly support scanning build.sbt files. However, SBT provides commands to generate a corresponding pom.xml file. This pom.xml file can be used to create a lock file, which allows OpenText Core SCA to analyze the complete list of direct and indirect dependencies along with their relationships.

You can do this using the High-Performance Scans technology available in OpenText Core SCA CLI. By running the resolve command, the CLI will automatically detect any build.sbt files and use them to generate the needed maven dependency files. This is also run by default within the scan command.

You can manually create the recommended file(s) by running the following commands and saving the output into a maven.debricked.lock file.

// sbt makePomSome code
mv target/scala-*/*.pom pom.xml
mvn dependency:tree -DoutputFile=maven.debricked.lock -DoutputType=tgf

File fingerprinting

OpenText Core SCA offers the capability to scan for Scala dependencies that are not specified in manifest files through file fingerprinting. The OpenText Core SCA database includes the hashes of .jar and .war files, along with their unpacked contents, for all packages in the largest Maven repository. This information is used to compare with the contents of your application, ensuring the most accurate matches possible.

For more information on file fingerprinting and how to set it up, see file fingerprinting.

Supported file formats and features