OpenText Core SCA currently supports the tracking of C# dependencies through:

• NuGet, using .csproj, packages.lock.json and packages.config files

• file fingerprinting, to find dependencies not defined in manifest-files

• Paket, using paket.lock file

If there is a modern NuGet project where dependencies are defined in .csproj files, OpenText Core SCA recommends using the packages.lock.json file. This file allows OpenText Core SCA to analyze the dependency tree and suggest root fixes. By default, NuGet does not generate this file, but you can create it using the technology with the OpenText Core SCA CLI or by enabling and then committing the generated file. When you run the resolve command, the OpenText Core SCA CLI automatically detects all manifest files that lack the recommended lock files and generates them as needed.

In older NuGet projects, dependencies are typically stored in a packages.config ile. OpenText Core SCA recommends that users generate the necessary lock file for dependency management and root fixes using High Performance Scans with the Debricked CLI. The command debricked resolve will create a packages.lock.json style file by first translating the packages.config into a .csproj file using NuGet. From there, the lock file is generated. Once the process is complete, the .csproj file is deleted, leaving only the newly created lock file. To avoid potential conflicts with NuGet, the specially created NuGet lock file is named as packages.config.nuget.debricked.lock.

By default, in all integrations except the GitHub app, the Debricked scan command will automatically try to generate the necessary lock files before sending your dependency files for scanning.

OpenText Core SCA also supports sending only .csproj or packages.config files for scanning, but the packages.lock.json or packages.config.nuget.debricked.lock file is preferred, as it provides the most accurate tracking of dependency versions and trees, enabling root fixes.

for NuGet utilize native commands when resolving and include all dependencies defined with NuGet, including those managed through .

If at least one of the supported files is committed to your repository, it will be automatically scanned for dependencies when you have done any of our integrations to your CI/CD pipeline.

File fingerprinting

OpenText Core SCA supports scanning for C# dependencies not defined in manifest files through file fingerprinting. OpenText Core SCA database contains the hashes of .nupkg files as well as their unpacked contents (including .dll files) for all packages in the NuGet gallery. This is used when comparing with the contents of your application, to ensure as accurate matches as possible. For more information on file fingerprinting and how to set it up, see .

Supported file formats and features

*This is a native lock file format. Native lock file formats are the fastest formats to scan.

**When building the knowledge base, the files are downloaded, unpacked and fingerprints are created for all file contents, except for certain excluded patterns. The fingerprints are created for the contents of each file. For example, Debricked matches .dll files for C# and .class files within .jar files for Java, along with similar files from other programming languages.

The support for this language is currently in beta. Vulnerability results may be less accurate than normal.

OpenText Core SCA now tracks Rust dependencies through Cargo, using its associated Cargo.lock files. This file is generated whenever one of the following commands is executed:

cargo build

cargo update

If the file is committed to the repository, it will be automatically scanned for dependencies when integrated with OpenText Core SCA CI/CD pipeline.

Supported file formats and features

*This is a native lock file format. Native lock file formats are the fastest formats to scan.

Apart from the various programming package management systems, OpenText Core SCA also supports package managers for various Linux distributions, allowing you to find and monitor potential vulnerabilities of your server or Docker container.

To start tracking your server or Docker vulnerabilities, you should first execute your package manager(s) list command and redirect the output to a text file:

• For Debian, Ubuntu and most derivatives, execute the following command:

apt list --installed > apt.list

• For Alpine Linux which is widely used by Docker containers, execute the following command:

apk list --installed > apk.list

To scan them for dependencies, the output file(s) should be either committed to the repository or manually uploaded.

OpenText Core SCA now supports tracking Scala dependencies through the following methods:

• SBT, by utilizing pom.xml files

• file fingerprinting, to find dependencies not specified in manifest files

SBT

OpenText Core SCA does not directly support scanning build.sbt files. However, SBT provides commands to generate a corresponding pom.xml file. This pom.xml file can be used to create a lock file, which allows OpenText Core SCA to analyze the complete list of direct and indirect dependencies along with their relationships.

You can do this using the High-Performance Scans technology available in . By running the resolve command, the CLI will automatically detect any build.sbt files and use them to generate the needed maven dependency files. This is also run by default within the scan command.

You can manually create the recommended file(s) by running the following commands and saving the output into a maven.debricked.lock file.

File fingerprinting

OpenText Core SCA offers the capability to scan for Scala dependencies that are not specified in manifest files through file fingerprinting. The OpenText Core SCA database includes the hashes of .jar and .war files, along with their unpacked contents, for all packages in the largest Maven repository. This information is used to compare with the contents of your application, ensuring the most accurate matches possible.

For more information on file fingerprinting and how to set it up, see .

Supported file formats and features

OpenText Core SCA supports tracking Go dependencies through:

• Go Modules, using go.mod files

• Go Dep, using gopkg.lok files

• Bazel, using WORKSPACE files

Go Modules

OpenText Core SCA supports tracking Go dependencies using the Go Modules dependency management system and its associated go.mod file. To achieve the fastest and most accurate results, it is necessary to create a file containing the resolved dependency tree, .gomod.debricked.lock, before scanning.

This can be done using the technology in . If you execute the resolve command, the CLI automatically identifies all manifest files that lack the recommended go.lock files and generates them as needed.

You can manually generate the recommended file(s) by running go mod graph followed by go list -m all, and storing the outputs separated by two new lines between the sections in the gomod.debricked.lock file.

Every gomod.debricked.lock must be put in the same directory as the corresponding go.mod.

OpenText Core SCA recommends running go mod tidy to clean up unused modules before pushing the go.mod files, ensuring more accurate service results.

Bazel

OpenText Core SCA supports Go projects that utilize Bazel, scanning the WORKSPACE file format alongside any Go file formats in use. Although Bazel does not have native support for Go, support can be added using .

Go Dep

Go Dep and its associated file Gopkg.lock is deprecated and will not get any improvements present in other formats, such as Go Modules.

Supported file formats and features

*This is a native lock file format. Native lock file formats are the fastest formats to scan.

OpenText Core SCA now tracks Objective-C dependencies through CocoaPods using Podfile.lock files. If this file is committed to the repository, it will be automatically scanned for dependencies when integrated with OpenText Core SCA CI/CD pipeline.

Supported file formats and features

OpenText Core SCA now tracks Python dependencies through:

• Pip (using the older requirements.txt files)

• Pipenv (using the newer Pipfile.lock files)

• , to find dependencies not defined in manifest-files

OpenText Core SCA currently tracks PHP dependencies installed through Composer dependency manager, using either the composer.json or composer.lock files.

OpenText Core SCA recommends including the composer.lock file, as it contains resolved versions of both direct and indirect dependencies, leading to more accurate scan results.

The composer.lock file is generated whenever one of the following commands is executed:

If at least one of the supported files is committed to the repository, it will be automatically scanned for dependencies when integrated with OpenText Core SCA CI/CD pipeline.

OpenText Core SCA now tracks Swift dependencies through CocoaPods using Podfile.lock files.

If the file is committed to the repository, it will be automatically scanned for dependencies when integrated with OpenText Core SCA CI/CD pipeline.

Supported file formats and features

OpenText Core SCA currently supports tracking Java or Kotlin dependencies using:

• Gradle (using build.gradle and build.gradle.kts files)

• Maven (using pom.xml files)

• Bazel (using WORKSPACE and install.json

OpenText Core SCA supports tracking dependencies in using files in JSON and XML formats.

To ensure that OpenText Core SCA identifes the SBOM files as CycloneDX SBOMs, please name them using one of the following conventions:

• .bom..json

• .*cdx.json

OpenText Core SCA now tracks Ruby dependencies through RubyGems, using its associated Gemfile.lock files. If at least one of the supported files is committed to the repository, it will be automatically scanned for dependencies when integrated with OpenText Core SCA CI/CD pipeline.

Supported file formats and features

*This is a native lock file format. Native lock file formats are the fastest formats to scan.

OpenText Core SCA now tracks JavaScript and TypeScript dependencies through:

• NPM (using package.json and package-lock.json files)

• Yarn (using package.json and yarn.lock files)

OpenText Core SCA now supports a broad array of programming languages and package managers, allowing you to scan your code in your native language. Here is the complete list of languages and their level of support:

Supported file formats and features

Following is the complete list of supporting languages, including root dependencies, indirect dependencies, security scanning, and license scanning.

*This is a native lock file format. Native lock file formats are the fastest formats to scan.

**When constructing our knowledge base, OpenText Core SCA downloads files, extracts their contents, and creates fingerprints for all file content, except for a few excluded patterns. After that, fingerprints are generated for all the content within each file. For example, OpenText Core SCA specifically matches .dll files used in C# applications and .class files found within .jar files.