Dependency Detection
- 28 Apr 2023
- 1 Minute to read
- Print
- DarkLight
- PDF
Dependency Detection
- Updated on 28 Apr 2023
- 1 Minute to read
- Print
- DarkLight
- PDF
Article Summary
Share feedback
Thanks for sharing your feedback!
Identifying the entire supply chain in your software product is essential in determining whether security vulnerabilities or other risk factors exist. Depending on the data available, Ion Channel can detect all of a project's direct and transitive dependencies.
Direct Dependencies
Direct dependencies are components that the project explicitly indicates are required for the project to run or compile.
Transitive Dependencies
Transitive dependencies are any dependencies of your project's direct dependencies (see the diagram below). For most projects, there is no limit to how far down that dependency tree will be checked to find all of the transitive dependencies in a project.
Detection Details and Requirements
Ion Channel will look for dependencies within the file formats listed below. For a dependency file to be scanned, it must be located less than six folders deep. Searching Git submodules are not supported.
| Package Manager | Language | Supported File Formats | Notes |
| Go Modules | Golang | go.mod | All Go dependencies are considered to be direct. |
| Glide | Golang | glide.lock, glide.yaml | Glide.yaml files will only be inspected if no glide.lock file is present. |
| Maven | Java, Scala | pom.xml | Includes dependencies in the dependencies and artifacts sections. Optional transitive dependencies are ignored. |
| npm | Javascript | package-lock.json, package.json | Package.json files will only be inspected if no package-lock.json files are present. |
| Nuget | C#, F#, VB.NET | .nuspec | |
| PyPI | Python | pipfile, *requirements*.txt | Any .txt file with the word "requirements" anywhere in the filename will be scanned for dependencies. |
| RubyGems | Ruby | Gemfile.lock, Gemfile, .gemspec | Gemfiles will only be inspected if no Gemfile.lock files are present. |
| Yarn | Javascript | yarn.lock, package.json | Package.json files will only be inspected if no yarn.lock file is present. |
Was this article helpful?
