LogoLogo
WebsitePricingBlog
  • Debricked Documentation
  • Overview
    • Getting started
      • Create a OpenText Core SCA account
      • Running OpenText Core SCA
    • Help
      • Frequently asked questions (FAQ)
      • Upgrade your account
      • Get help in OpenText Core SCA tool
    • Language support
      • C# - Nuget, Paket
      • CycloneDX SBOM
      • Go - Go Modules, Go Dep, Bazel
      • Java & Kotlin - Gradle, Maven, Bazel
      • JavaScript - NPM, Yarn, Bower
      • Objective-C - CocoaPods
      • PHP - Composer
      • Python - Pip, Pipenv
      • Ruby - RubyGems
      • Rust - Cargo
      • Swift - CocoaPods
      • Linux package managers
      • Scala - SBT
    • Security overview
  • Product
    • Vulnerability management
      • Security terms
      • Data sources
      • See your data
      • Pull Requests (PR)
        • Enable Pull Request support
        • Solve vulnerabilities using Pull Requests (PR)
        • Solve vulnerabilities using Pull Requests (PR) via API
      • Set a review status
        • Snooze or pause a review status
      • Reachability Analysis
        • Set up Reachability Analysis for Java
        • Set up Reachability Analysis for Go
      • Solve vulnerabilities manually with root fixes
    • License risk management
      • Licence families
      • License risks
      • Set up a use case
        • Set up a use case using API
      • Proxy non-standard license identifiers
    • Project health
      • Contributors
      • Popularity
      • Security
    • Open source select
      • Search projects
      • Compare projects
      • View more details
      • Start left policies
      • OpenText Core SCA Select Browser Extension
      • End of Life (EOL)
    • Automation
      • Create an automation rule
      • Edit an automation rule
      • Default automation rules
      • Set up webhooks
      • Policies
      • Monitoring
    • Exporting or SBOM
      • Overview
      • License export
      • Vulnerability export
      • SBOM export
        • CycloneDX SBOM export
        • SPDX SBOM export
    • Administration
      • Generate access token
      • Account
        • Change your password
        • Delete your account
        • Delete company account
      • Billing
        • Manage contributing developers
        • Manage billing frequency
        • Manage payment methods
        • Access invoices
        • Manage your subscription
      • Settings
        • Enable and disable snoozing vulnerabilities
        • Supported language for Debricked tool
        • View logged events
        • Two-Factor Authentication (2FA)
      • Users
        • User roles (freemium and premium)
        • Role-Based Access Control (Enterprise)
        • Manage users
          • Add a new user
      • Repositories
        • Default Branch
        • Repository groups
        • Manually upload a dependency file
        • Manage your commits
  • Tools & Integrations
    • Command Line Interface (CLI)
      • Debricked CLI
        • High performance scans
        • File fingerprinting
      • Legacy CLI
    • CI/CD integrations
      • GitHub
      • CircleCI
      • BuildKite
      • GitLab
      • Bitbucket
      • Azure DevOps
      • Argo workflows
      • Travis CI
      • Jenkins
      • Bamboo
      • TeamCity
    • Fortify on Demand (FoD)
    • Fortify Software Security Center (SSC)
    • Debricked APIs
      • Open source select API
    • Integrated Development Environments (IDEs)
    • Single Sign-On (SSO)
      • Single Sign-On (SSO) through Okta
      • Single Sign-On (SSO) through Microsoft Entra ID
      • Single Sign-On (SSO) through JumpCloud OIDC
      • Single Sign-On (SSO) through GitHub
  • Tips & Tricks
    • Debricked CLI migration guide
    • Workarounds
      • Scanning Conan (C++) projects
      • Scanning a repository with different services
      • Scanning Docker images
      • Automations: Do not fail on found CVE lacking a fix
Powered by GitBook
LogoLogo

Company

  • Pricing
  • Blog

Support

  • Privacy Policy
  • Terms & Conditions
  • Service Status

Resources

  • Vulnerability DB
  • Open Source Select

© 2018-2024 | Open Text

On this page
  • Generate Debricked lock(tree) files using high performance scans
  • Speed up Debricked lock file resolution
  • Error handling

Was this helpful?

Export as PDF
  1. Tools & Integrations
  2. Command Line Interface (CLI)
  3. Debricked CLI

High performance scans

Last updated 2 months ago

Was this helpful?

High Performance Scans are currently available for Maven (pom.xml), Gradle (build.gradle), Go modules (go.mod), Pip (requirements.txt), NuGet (.csproj and packages.config), yarn (package.json), and composer (composer.json).

Some package managers do not have native support for maintaining lock files with complete information on dependency versions and relations. In order to guarantee fast and accurate scans for these package managers, it is necessary to first generate this information into a file before sending it to Debricked for scanning. Doing this also ensures that private dependencies are included in the scans and eliminates the need to send source code for a complete scan, since all information will be included in the generated file.

At Debricked, the High Performance Scans solution makes this process as simple as possible. This technology enables you to accurately and quickly resolve full dependency trees for repositories that don't have a lock file present. By using the lock file resolution technology to generate the needed files before sending them to the Debricked tool, all the drawbacks that come with trying to generate the files on our end are removed.

With High Performance Scans, you can generate Debricked lock files on your end, without us having to handle any of your source code. This approach improves the performance of the scans, especially when built into an existing pipeline that already builds the project. It also enables us to parse more accurate dependency results and obtain the relations of private dependencies without accessing anything other than the dependency files to scan your repository. Furthermore, it allows us to handle files of much bigger size.

The High Performance Scanning is highly customizable, allowing you to set it up to run in conjunction with a scan or in any other part of your pipeline.

Generate Debricked lock(tree) files using high performance scans

The High Performance Scans technology is available through the by using the resolve command. This command analyses your project to find eligible manifest files, that do not have related lock files and uses them to generate the appropriate Debricked lock files. When conducting a scan using the scan command, the feature is enabled by default. It can be disabled by using the --no-resolve flag. Additionally, this technology is available through , which have been reworked using the new command to be as simple as possible. This is built with customizability in mind, to suit many different use-cases. You might, for example, want to generate the lock files using the resolve command in a build step in your pipeline, separate from the scan step, since it will save time not having to build the project twice. When doing this, it is important to ensure that the files resulting from the resolve command are included in the stage where the scan is run.

Speed up Debricked lock file resolution

The best approach for speeding up the generation of debricked lock files is to make sure that the dependencies that are used for building the project are cached on the system that Debricked CLI operates on. By doing so, Debricked CLI can utilize these locally installed dependencies instead of having to download them from the registries, which is a time-consuming task. Package managers cache their dependencies differently, so if you set up dependency caching for your package manager, Debricked CLI will be able to utilize that out of the box and in the process make the debricked lock file resolution snappier.

Example:

Maven is a commonly used build automation tool (and package manager) in the Java world. When Maven downloads dependencies for a project the dependencies are by default cached in the directory ~/.m2/repository. If Debricked CLI is used to resolve a Maven project on this system, instead of downloading dependencies, the ~/.m2/repository directory is first checked and if the currently processed dependency is already downloaded it will be reused.

Error handling

The resolution feature utilizes package managers to create Debricked lock files, which works smoothly for simpler projects. For more complex projects, there might be certain project requirements that the Debricked CLI cannot interpret.

To account for that, the resolution feature is built to be as transparent as possible, showing you what went wrong, in order to assist in solving the issue. An example of such an error is when privately hosted dependencies are built into the project - if Debricked CLI cannot resolve these private dependencies the error given by the package manager will be displayed for you.

Debricked CLI
CI templates