Source code
Since each programming language has its declaration files for the libraries being used, the SBOM engine only analyzes the files with these specific filenames to avoid false positives or performance downgrades.
| Programming language | File to check |
|---|---|
| Ruby | Gemfile.lock lib package in tar.gz, gem format |
| Python | Pipfile.lock poetry.lock requirements*.txt setup.py pyproject.toml lib package in tar.gz, egg, whl, zip format |
| PHP | composer.lock lib package in zip format |
| NodeJS | package-lock.json yarn.lock pnpm-lock.yaml lib package in tgz format |
| Java | pom.xml pom.properties gradle.lockfile *.jar lib package in *.zip, *-src.zip, *-sources.zip, *.tar.gz, *-src.tar.gz, *-sources.tar.gz format |
| Go | go.mod |
| Rust | Cargo.lock |
| Dart | pubspec.lock |
| .NET | packages.lock.json packages.config .deps.json .nuspec dll library in *.nupkg |
| Elixir | mix.lock |
| Swift | Podfile.lock |
| C/C++ package manager | conan.lock |
Was this page helpful?