Using Licensight Scan¶
With Licensight Scan you will start integrating your source code with the Licensight platform. It is a CLI (command line interface) which is provided for all major operating system. This CLI will be used in your environment or build system, the scanned source code will not leave your environment. Licensight scan will identify the used open source components based on the found dependency management manifests and send this list (which is name of the component and the version) to our central service.
Licensight Scan parameters¶
| Parameter | Description |
|---|---|
-?, -h |
Prints help message |
-d |
The root folder of the project directory for which the SBOM file will be generated. |
-a |
Name of the application in which this project is located in Licensight platform. |
-e |
The Licensight platform endpoint (or tenant) for which this project scan result will be uploaded. |
-at |
Your personal access token. |
-r |
Name of the repository which will be created in the Licensight platform. |
-b |
The branch of source code from which the scan is running. |
-t |
The tag of source code from which the scan is running. |
-v |
Display this amount of detail in the logging output. (e.g., -v Debug) |
-dpr |
If this flag is set, Licensight Scan will annotate the Gitlab Pull Request with details of the policy violations and vulnerabilities. Please refer to Enabling Gitlab Pull Request Decoration for more details. |
-gat |
(Deprecated) The Gitlab access token to decorate Gitlab Pull Request when the flag -dpr is enabled. Please refer to Enabling Gitlab Pull Request Decoration for more details. |
-btb |
If this flag is set, Licensight Scan will return a non-zero exit code if the feature branch introduces any new policy violations. This flag can be used to prevent merging violated packages into the default branch. |
-del |
Filters out specific directories following a minimatch pattern. (e.g., -del "**/service-identify/**;**/service-security/**") |
Run the scan¶
Execute the following command to conduct a scan.
./licensight-scan generate \
-d '<path_to_project_directory>' \
-a '<name_of_the_application>' \
-e <your_licensight_url_or_tenant> \
-at <your_personal_access_token>
Sample:
./licensight-scan generate -d . -a my-app -e https://my-tenant.licensight.com -at token
Note: You can also configure the endpoint as
-e my-tenantinstead of using the full URL.
Supported Languages¶
Licensight Scan does use the following sources to identify components:
| File | Programming Language |
|---|---|
| pom.xml, ivy.xml, .jar, .war, .ear, JDK/JRE folders | Java |
| requirements.txt, poetry.lock, conda-lock.yml, uv.lock | Python |
| package-lock.json (version 3), pnpm-lock.yaml (up to version 9), yarn.lock (up to version 3) | Javascript / Typescript / Node.js |
| project.assets.json, *.nuspec, *.nupkg, packages.config, nuget.config | C# / .net |
| go.mod, go.sum | Go |
| gemfile.lock | Ruby |
| cargo.lock (v1,v2,v3) | Rust (Cargo) |
| podfile.lock | Swift / Object-C (CocoaPods) |
| vcpkg.spdx.json | C / C++ |
Java¶
Licensight Scan supports detection of Java dependencies through both Maven project files and post-build archive files (.jar, .war, .ear).
For Apache Maven projects¶
- Maven CLI must be installed and available in the current PATH (
mvnmust be runnable). - Maven Dependency Plugin must be present (installed with Maven).
- One or more
pom.xmlfiles must be present in the scanned directory. - The analysis is conducted by executing
mvn dependency:tree -f {pom.xml}for eachpom.xmlfile. The result is parsed. - If the
pom.xmlrefers to private repositories, ensure Maven can access them. You can pass a configuration file to Maven using environment variableMAVEN_ARGS(e.g.,-s settings.xml).
For Apache Ivy + Ant projects¶
- Apache Ant must be installed and available in the current PATH (
antmust be runnable). ivy.xmlandivysettings.xmlmust be self-contained, which means they must not rely on any properties defined in the project's build.xml, or use any file inclusion mechanism.
For .jar, .war, .ear archive files (post-build artifacts)¶
- Licensight Scan unzips the archive and identifies dependencies based on metadata files such as:
pom.propertiespom.xmlMANIFEST.MF- Archive file name
For JDK, JRE directories¶
- The tool scans specified directories to detect
JDKandJREinstallations by checking for marker files such asrelease,jdbto determine version and vendor information.
Python¶
Licensight Scan can identify dependencies which are managed using pip or poetry.
To be able to scan dependencies with PIP the following preconditions need to be fulfilled:
- Python 2 or Python 3
- Internet connection
- One or more setup.py or requirements.txt files in the scanned directory.
- Minimum Pip version 22.2.0
For other package managers, lock files must be available in the scanned directory:
- poetry.lock
- conda-lock.yml
- uv.lock
Javascript / Typescript¶
To be able to scan JavaScript or Typescript projects either npm or pnpm can be used. The npm detection relies on package-json.lock (version 3) file while pnpm detection relies on pnpm-lock.yaml (up to version 6). Dependencies being managed with yarn are lookup up in the yarn.lock file.
.NET¶
Do identify components being managed with NuGet we parse any of the following files found in the scanned directory: .nuspec, .nupkg, .packages.config, .project.assets. Also the NuGet global cache is being considered which might lead to overreporting.
Go¶
To be able to detect Go dependencies a Go binary v1.17+ is required. The dependencies are being detected by using the command go list -mod=readonly -m -json all and parsing its output.
C / C++¶
Licensight Scan can identify C/C++ dependencies which are managed by vcpkg (newer than 2022-05-05). The vcpkg detection relies on vcpkg.spdx.json files produced by vcpkg during the install process. These files are typically found under the installed packages directory in a path like installed/<triplet>/share/<port>/vcpkg.spdx.json.