Container Vulnerability - Scanning of Language Libraries and Package Managers
How Scanning is Performed
Package scanning for programming languages works in a variety of ways:
- By scanning
.lock
files that are generated by the package managers. - By scanning different binaries that are generated by the package managers.
- By scanning specific files (in specific format) that are generated by package installations.
These files can exist in any path in a container.
Files Scanned
The files scanned for each supported language library or package manager depends on the type of integration:
Platform, Inline, and Proxy Scanner Assessments
The following table lists the types of files and file extensions that are scanned for each programming language:
Language or Package manager | Files scanned |
---|---|
Java | *.jar *.war *.ear Fat JAR files are also scanned for their dependencies. |
Ruby | *.gemspec
|
PHP | composer.lock
|
Go | *.sum Any executable binaries built by Go |
npm | package-lock.json yarn.lock |
.NET | packages.lock.json
|
Python | Pipfile.lock poetry.lock *.egg-info/PKG-INFO *.dist-info/METADATA |
Rust | *Cargo.lock
|
For .NET packages, |
Agentless Workload Scanning Assessments
The following table lists the types of files and file extensions that are scanned for each programming language:
Language or Package manager | Files scanned |
---|---|
Java | *.jar *.war *.ear pom.properties MANIFEST.MF Fat JAR files are also scanned for their dependencies. |
Ruby | *Gemfile.lock
|
PHP | composer.lock
|
Go | *.sum Any executable binaries built by Go |
npm | package-lock.json yarn.lock |
NuGet | packages.lock.json
|
Python | Pipfile.lock poetry.lock *.egg-info/PKG-INFO *.dist-info/METADATA |
Rust | *Cargo.lock
|