Acquiring Manifests For Manual Upload
Manifest files contain a list of required open source packages in order to run a project. This list contains only the
top level packages without their dependencies. To resolve where to download the packages from, and which
dependencies those packages require, we have package manager programs. Each language has
its own package manager that can resolve required packages and their dependencies. Depending on the package manager,
after downloading a package, the package and dependency details written to a lockfile.
We can take those manifests and lockfiles, import them into our system, and then generate a full representation of the open source packages inventory without any integration.
Depending on the package manager, the acquisition of a supported manifest file might require installing the project and running a shell command.
For non-technical personnel, some manifest can be acquired via the [Git Version Control System] Like GitHub or GitLab. See this guide for more information on how to do that.
Javascript / Node.js
npm (default)
npm is the default package manager for Javascript and Node.js. Our system supports the following files for manual uploads:
package-lock.json(lockfile)
Yarn
Yarn is an alternative package manager for Javascript and Node.js based applications. Our system supports the following files for manual uploads:
yarn.lock(lockfile)
Python
pip (default)
The default package manager for Python is pip.
The manifest files themselves (requirements.txt, setup.py, setup.cfg) only contain the top level packages. White it is supported by our system, it would give only a partial view of the packages used (about ~10% of the actual packages in use). pip doesn't have a lockfile mechanism.
To get the full list of packages that's compatible with our system, the developer needs to install the project locally and then run the following command via the terminal:
If you are working with python virtual environments, make sure to activate the virtual environment before running the command below. (Activate using: source venv/bin/activate)
pip freeze command explanation
pip freeze > deptree.txt
The output file (deptree.txt) then can be used as an input to our system.
Java
Maven (default)
Maven is the default package manager for Java.
The manifest (pom.xml) itself has only the top level packages, which are dynamic (unlike other packager managers). Maven doesn't have a lockfile mechanism. In order to generate the full list of packages that are compatible with our system the developer need to install the project locally and then run the following command:
mvn --batch-mode dependency:tree -DoutputFile="$(pwd)/deptree.graphml" -DappendOutput -DoutputType=graphml
The output file (deptree.graphml) then can be used as an input to our system.
PHP
Composer (default)
Composer is the default package manager for PHP. It uses the following manifest files:
composer.json(manifest)composer.lock(lockfile)
The lockfile composer.lock is supported by our system.