644512a17f | ||
---|---|---|
.devcontainer | ||
.github | ||
.vscode | ||
docs | ||
src | ||
test | ||
.editorconfig | ||
.gitattributes | ||
.gitignore | ||
CODE_OF_CONDUCT.md | ||
CONTRIBUTING.md | ||
ComponentDetection.sln | ||
Directory.Build.props | ||
Directory.Build.targets | ||
Directory.Packages.props | ||
LICENSE.txt | ||
README.md | ||
SECURITY.md | ||
global.json | ||
renovate.json |
README.md
Component Detection
For bugs, issues, and support please create an issue.
Introduction
ComponentDetection is a package scanning tool intended to be used at build time. CD produces a graph-based output of all detected components and supports a variety of open source package ecosystems.
Table of Contents
- Feature Overview
- My favorite language/ecosystem isn't supported!
- Building and running Component Detection
- A detector is marked as DefaultOff/Experimental. What does that mean?
- Telemetry
Feature Overview
Ecosystem | Scanning | Graph Creation |
---|---|---|
CocoaPods | ✔ | ✔ |
Linux (Debian, Alpine, Rhel, Centos, Fedora, Ubuntu) | ✔ (via syft) | ❌ |
Gradle (lockfiles only) | ✔ | ❌ |
Go | ✔ | ❌ |
Maven | ✔ | ✔ |
NPM (including Yarn, Pnpm) | ✔ | ✔ |
NuGet | ✔ | ✔ |
Pip (Python) | ✔ | ✔ |
Poetry (Python, lockfiles only) | ✔ | ❌ |
Ruby | ✔ | ✔ |
Rust | ✔ | ✔ |
For a complete feature overview refer to feature-overview.md
My favorite language/ecosystem isn't supported!
Component Detection is built with extensibility in mind! Please see our CONTRIBUTING.md to get started where you can find additional docs on adding your own detector.
Building and running Component Detection
.NET Core 3.1 is currently in use, you can install it from https://dotnet.microsoft.com/download/dotnet/3.1
The below commands mirror what we do to setup our CI environments:
From the base folder:
dotnet build
Running in Visual Studio (2019+)
- open ComponentDetection.sln in Visual Studio
- Set the Loader project as the startup project (rightclick-> Set as Startup Project)
- Set Run arguments for the Loader project (rightclick->properties->Debug)
Minimum:scan --SourceDirectory <Repo to scan>
- Now, any time you make a change, you can press
F5
. This will build the changes, and start the process in debug mode (hitting any breakpoints you set)
Using Codespaces
If you have access to GitHub Codespaces, select the Code
button from the repository homepage then select Open with Codespaces
. That's it! You have a full developer environment that supports debugging, testing, auto complete, jump to definition, everything you would expect.
Using VS Code DevContainer
This is similar to Codespaces:
- Make sure you meet the requirements and follow the installation steps for DevContainers in VS Code
git clone https://github.com/microsoft/component-detection
- Open this repo in VS Code
- A notification should popup to reopen the workspace in the container. If it doesn't, open the
Command Palette
and typeRemote-Containers: Reopen in Container
.
Running from command line
The most basic run:
dotnet run --project src/Microsoft.ComponentDetection scan --SourceDirectory .\
You can add --no-restore
or --no-build
if you don't want to rebuild before the run
You can add --Debug
to get the application to wait for debugger attachment to complete.
After building
Additional arguments for detection can be found in detector arguments
A detector is marked as DefaultOff/Experimental. What does that mean?
Detectors have 3 levels of "stability":
DefaultOff
Experimental
Stable
DefaultOff detectors need to be explicitly enabled to run and produce a final graph output. Experimental detectors run by default but will not produce a final graph output. Stable detectors run and produce a final graph output by default. Here is how you can enable default off/experimental detectors.
Telemetry
By default, telemetry will output to your output file path and will be a JSON blob. No data is submitted to Microsoft.
Code of Conduct
This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact opencode@microsoft.com with any additional questions or comments.
Trademarks
This project may contain trademarks or logos for projects, products, or services. Authorized use of Microsoft trademarks or logos is subject to and must follow Microsoft's Trademark & Brand Guidelines. Use of Microsoft trademarks or logos in modified versions of this project must not cause confusion or imply Microsoft sponsorship. Any use of third-party trademarks or logos are subject to those third-party's policies.