Using Licensight Scan¶
With Licensight Scan you will start integrating your source code with the Licensight platform. It is a CLI (command line interface) which is provided for all major operating system. This CLI will be used in your environment or build system, the scanned source code will not leave your environment. Licensight scan will identify the used open source components based on the found dependency management manifests and send this list (which is name of the component and the version) to our central service.
Licensight Scan parameters¶
| Parameter | Description |
|---|---|
-d |
The root folder of the project directory for which the SBOM file will be generated. |
-a |
Name of the application in which this project is located in Licensight platform. |
-e |
The Licensight platform endpoint (or tenant) for which this project scan result will be uploaded. |
-at |
Your personal access token. |
-r |
Name of the repository which will be created in the Licensight platform. |
-b |
The branch of source code from which the scan is running. |
-t |
The tag of source code from which the scan is running. |
-dpr |
If this flag is set, Licensight Scan will annotate the Gitlab Pull Request with details of the policy violations and vulnerabilities. Please refer to Enabling Gitlab Pull Request Decoration for more details. |
-gat |
(Deprecated) The Gitlab access token to decorate Gitlab Pull Request when the flag -dpr is enabled. Please refer to Enabling Gitlab Pull Request Decoration for more details. |
-btb |
If this flag is set, Licensight Scan will return a non-zero exit code if the feature branch introduces any new policy violations. This flag can be used to prevent merging violated packages into the default branch. |
-del |
Filters out specific directories following a minimatch pattern. (e.g., -del "**/service-identify/**;**/service-security/**") |
Run the scan¶
Execute the following command to conduct a scan.
./licensight-scan generate \
-d '<path_to_project_directory>' \
-a '<name_of_the_application>' \
-e <your_licensight_url_or_tenant> \
-at <your_personal_access_token>
Sample:
./licensight-scan generate -d . -a my-app -e https://my-tenant.licensight.com -at token
Note: You can also configure the endpoint as
-e my-tenantinstead of using the full URL.
Supported Languages¶
Licensight Scan does use the following sources to identify components:
| File | Programming Language |
|---|---|
| pom.xml, .jar, .war, .ear, JDK/JRE folders | Java |
| requirements.txt, poetry.lock, conda-lock.yml | Python |
| package-lock.json (version 3), pnpm-lock.yaml (up to version 6), yarn.lock (up to version 3) | Javascript / Typescript / Node.js |
| project.assets.json, *.nuspec, *.nupkg, packages.config, nuget.config | C# / .net |
| go.mod, go.sum | Go |
| gemfile.lock | Ruby |
| cargo.lock (v1,v2,v3) | Rust (Cargo) |
| podfile.lock | Swift / Object-C (CocoaPods) |
Java¶
Licensight Scan supports detection of Java dependencies through both Maven project files and post-build archive files (.jar, .war, .ear).
For Maven projects¶
- Maven CLI must be installed and available in the current PATH (
mvnshould be runnable). - Maven Dependency Plugin must be present (installed with Maven).
- One or more
pom.xmlfiles must be present in the scanned directory. - The analysis is conducted by executing
mvn dependency:tree -f {pom.xml}for eachpom.xmlfile. The result is parsed. - If the
pom.xmlrefers to private repositories, ensure Maven can access them. You can pass a configuration file to Maven using the environment variableMAVEN_ARGS(e.g.,-s settings.xml).
For .jar, .war, .ear archive files (post-build artifacts)¶
- Licensight Scan unzips the archive and identifies components based on metadata files such as:
- pom.properties
- pom.xml
- MANIFEST.MF
- Archive file name
For JDK, JRE directories:¶
- The tool scans specified directories to detect
JDKandJREinstallations by checking for marker files such asrelease,jdbto determine version and vendor information.
Python¶
Licensight Scan can identify dependencies which are managed using pip or poetry.
To be able to scan dependencies with PIP the following preconditions need to be fulfilled:
- Python 2 or Python 3
- Internet connection
- One or more setup.py or requirements.txt files in the scanned directory.
- Minimum Pip version 22.2.0
To be able to scan a Poetry project the following precondition needs to be fulfilled:
- poetry.lock file available in the scanned directory.
Javascript / Typescript¶
To be able to scan JavaScript or Typescript projects either npm or pnpm can be used. The npm detection relies on package-json.lock (version 3) file while pnpm detection relies on pnpm-lock.yaml (up to version 6). Dependencies being managed with yarn are lookup up in the yarn.lock file.
.NET¶
Do identify components being managed with NuGet we parse any of the following files found in the scanned directory: .nuspec, .nupkg, .packages.config, .project.assets. Also the NuGet global cache is being considered which might lead to overreporting.
Go¶
To be able to detect Go dependencies a Go binary v1.17+ is required. The dependencies are being detected by using the command go list -mod=readonly -m -json all and parsing its output.