Scans your project to determine what components you use
Перейти к файлу
Jamie Magee 644512a17f
refactor: fix SA1208 (#218)
2022-08-24 11:42:33 -07:00
.devcontainer Fix Rust component detector to support "x.y.z" version specifiers in Cargo.toml (#43) 2022-01-25 09:39:34 -08:00
.github Bump github/codeql-action from 1 to 2 (#110) 2022-04-27 09:23:11 -07:00
.vscode Allow opt-in go cli scanning (#12) 2021-12-17 12:19:02 -05:00
docs docs: how to update syft (#194) 2022-08-16 08:28:22 -07:00
src refactor: fix SA1208 (#218) 2022-08-24 11:42:33 -07:00
test refactor: fix SA1208 (#218) 2022-08-24 11:42:33 -07:00
.editorconfig refactor: fix SA1208 (#218) 2022-08-24 11:42:33 -07:00
.gitattributes Initial commit 2021-11-19 06:07:50 -08:00
.gitignore Initial commit 2021-11-19 06:07:50 -08:00
CODE_OF_CONDUCT.md Initial commit 2021-11-19 06:07:50 -08:00
CONTRIBUTING.md Initial commit 2021-11-19 06:07:50 -08:00
ComponentDetection.sln Initial commit 2021-11-19 06:07:50 -08:00
Directory.Build.props refactor: enable `TreatWarningsAsErrors` (#203) 2022-08-16 11:46:52 -07:00
Directory.Build.targets Initial commit 2021-11-19 06:07:50 -08:00
Directory.Packages.props fix: rollback dotnet.glob from 2.1.4 to 2.1.1 (#200) 2022-08-16 09:18:50 -07:00
LICENSE.txt Initial commit 2021-11-19 06:07:50 -08:00
README.md Add poetry detector (#23) 2021-12-15 14:46:29 +00:00
SECURITY.md Initial commit 2021-11-19 06:07:50 -08:00
global.json Target .NET Core 3.1 (#19) 2021-12-09 15:43:13 -08:00
renovate.json chore: add basic renovate configuration (#136) 2022-06-29 12:53:30 -07:00

README.md

Component Detection

Component Detection CI

For bugs, issues, and support please create an issue.

Introduction

ComponentDetection is a package scanning tool intended to be used at build time. CD produces a graph-based output of all detected components and supports a variety of open source package ecosystems.

Table of Contents

Feature Overview

Ecosystem Scanning Graph Creation
CocoaPods
Linux (Debian, Alpine, Rhel, Centos, Fedora, Ubuntu) ✔ (via syft)
Gradle (lockfiles only)
Go
Maven
NPM (including Yarn, Pnpm)
NuGet
Pip (Python)
Poetry (Python, lockfiles only)
Ruby
Rust

For a complete feature overview refer to feature-overview.md

My favorite language/ecosystem isn't supported!

Component Detection is built with extensibility in mind! Please see our CONTRIBUTING.md to get started where you can find additional docs on adding your own detector.

Building and running Component Detection

.NET Core 3.1 is currently in use, you can install it from https://dotnet.microsoft.com/download/dotnet/3.1

The below commands mirror what we do to setup our CI environments:

From the base folder: dotnet build

Running in Visual Studio (2019+)

  1. open ComponentDetection.sln in Visual Studio
  2. Set the Loader project as the startup project (rightclick-> Set as Startup Project)
  3. Set Run arguments for the Loader project (rightclick->properties->Debug)
    Minimum: scan --SourceDirectory <Repo to scan>
  4. Now, any time you make a change, you can press F5. This will build the changes, and start the process in debug mode (hitting any breakpoints you set)

Using Codespaces

If you have access to GitHub Codespaces, select the Code button from the repository homepage then select Open with Codespaces. That's it! You have a full developer environment that supports debugging, testing, auto complete, jump to definition, everything you would expect.

Using VS Code DevContainer

This is similar to Codespaces:

  1. Make sure you meet the requirements and follow the installation steps for DevContainers in VS Code
  2. git clone https://github.com/microsoft/component-detection
  3. Open this repo in VS Code
  4. A notification should popup to reopen the workspace in the container. If it doesn't, open the Command Palette and type Remote-Containers: Reopen in Container.

Running from command line

The most basic run:

dotnet run --project src/Microsoft.ComponentDetection scan --SourceDirectory .\ 

You can add --no-restore or --no-build if you don't want to rebuild before the run

You can add --Debug to get the application to wait for debugger attachment to complete.

After building

Additional arguments for detection can be found in detector arguments

A detector is marked as DefaultOff/Experimental. What does that mean?

Detectors have 3 levels of "stability":

  • DefaultOff
  • Experimental
  • Stable

DefaultOff detectors need to be explicitly enabled to run and produce a final graph output. Experimental detectors run by default but will not produce a final graph output. Stable detectors run and produce a final graph output by default. Here is how you can enable default off/experimental detectors.

Telemetry

By default, telemetry will output to your output file path and will be a JSON blob. No data is submitted to Microsoft.

Code of Conduct

This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact opencode@microsoft.com with any additional questions or comments.

Trademarks

This project may contain trademarks or logos for projects, products, or services. Authorized use of Microsoft trademarks or logos is subject to and must follow Microsoft's Trademark & Brand Guidelines. Use of Microsoft trademarks or logos in modified versions of this project must not cause confusion or imply Microsoft sponsorship. Any use of third-party trademarks or logos are subject to those third-party's policies.