Container Vulnerability - Scanning of Language Libraries and Package Managers
How Scanning is Performed
Package scanning for programming languages works in a variety of ways:
- By scanning
.lockfiles that are generated by the package managers. - By scanning different binaries that are generated by the package managers.
- By scanning specific files (in specific format) that are generated by package installations.
These files can exist in any path in a container.
Files Scanned
The files scanned for each supported language library or package manager depends on the type of integration:
Platform, Inline, and Proxy Scanner Assessments
The following table lists the types of files and file extensions that are scanned for each programming language:
| Language or Package manager | Files scanned |
|---|---|
| Java | *.jar *.war *.ear Fat JAR files are also scanned for their dependencies. |
| Ruby | *.gemspec
|
| PHP | composer.lock
|
| Go | *.sum Any executable binaries built by Go |
| npm | package-lock.json yarn.lock |
| .NET | packages.lock.json
|
| Python | Pipfile.lock poetry.lock *.egg-info/PKG-INFO *.dist-info/METADATA |
| Rust | *Cargo.lock
|
|
For .NET packages, |
Agentless Workload Scanning Assessments
The following table lists the types of files and file extensions that are scanned for each programming language:
| Language or Package manager | Files scanned |
|---|---|
| Java | *.jar *.war *.ear pom.properties MANIFEST.MF Fat JAR files are also scanned for their dependencies. |
| Ruby | *Gemfile.lock
|
| PHP | composer.lock
|
| Go | *.sum Any executable binaries built by Go |
| npm | package-lock.json yarn.lock |
| NuGet | packages.lock.json
|
| Python | Pipfile.lock poetry.lock *.egg-info/PKG-INFO *.dist-info/METADATA |
| Rust | *Cargo.lock
|