microsoft · JamieMagee · Dec 7, 2021 · Dec 7, 2021
@@ -0,0 +1,12 @@
+# Detectors
+
+- CocoaPods
+- [Go](go.md)
+- [Gradle](gradle.md)
+- [Linux](linux.md)
+- [Maven](maven.md)
+- NPM
+- NuGet
+- [Pip](pip.md)
+- Ruby
+- Rust
@@ -0,0 +1,34 @@
+# Go Detection
+
+## Requirements
+
+Go detection depends on the following to successfully run:
+
+- Go v1.11+.
+
+## Detection strategy
+
+Go detection is performed by parsing output from executing `go mod graph`.
+Full dependency graph generation is supported if Go v1.11+ is present on the build agent.
+If no Go v1.11+ is present, a fallback detection strategy is performed, dependent on:
+
+- One or more `go.mod` or `go.sum` files.
+
+For the fallback strategy:
+
+Go detection is performed by parsing any `go.mod` or `go.sum` found under the scan directory.
+
+Only root dependency information is generated instead of full graph.
+I.e. tags the top level component or explicit dependency a given transitive dependency was brought by.
+Given a dependency tree A -> B -> C, C's root dependency is A.
+
+## Known limitations
+
+Dev dependency tagging is not supported.
+
+Go detection will fallback if no Go v1.11+ is present.
+If executing `go mod graph` takes too long (currently if it takes more than 10 seconds), go detection will fall back.
+This can happen if modules are not restored before the scan.
+
+Due to the nature of `go.sum` containing references for all dependencies, including historical, no-longer-needed dependencies; the fallback strategy can result in over detection.
+Executing `go mod tidy` before detection via fallback is encouraged.
@@ -1,16 +1,20 @@
 # Gradle Detection
+
 ## Requirements
+
 Gradle detection depends on the following to successfully run:
 
-- Gradle 7 or prior using [Single File lock](https://docs.gradle.org/6.8.1/userguide/dependency_locking.html#single_lock_file_per_project).
-- One or more <em>*.lockfile</em> files. 
+- Gradle 7 or prior using [Single File lock](https://docs.gradle.org/6.8.1/userguide/dependency_locking.html#single_lock_file_per_project)
+- One or more `.lockfile` files
 
 ## Detection strategy
-Gradle detection is performed by parsing any <em>*.lockfile</em> found under the scan directory.
+
+Gradle detection is performed by parsing any `*.lockfile` found under the scan directory.
 
 ## Known limitations
+
 Gradle detection will not work if lock files are not being used.
 
-*Dev dependency* tagging is not supported.
+Dev dependency tagging is not supported.
 
-Full dependency graph generation is not supported.
+Full dependency graph generation is not supported.
@@ -0,0 +1,16 @@
+# Linux Detection
+
+## Requirements
+
+Linux detection depends on the following:
+
+- [Docker](https://www.docker.com/)
+
+## Detection strategy
+
+Linux package detection is performed by running [Syft](https://github.com/anchore/syft) and parsing the output.
+The output contains the package name, version, and the layer of the container in which it was found.
+
+## Known limitations
+
+- Windows container scanning is not supported
@@ -1,17 +1,21 @@
 # Maven Detection
+
 ## Requirements
+
 Maven detection depends on the following to successfully run:
 
 - Maven CLI as part of your PATH. mvn should be runnable from a given command line.
 - Maven Dependency Plugin (installed with Maven).
-- One or more *pom.xml* files. 
+- One or more `pom.xml` files.
 
 ## Detection strategy
-Maven detection is performed by running *mvn dependency:tree -f {pom.xml}* for each pom file and parsing down the results.
 
-Components tagged as a *test* dependency are marked as *development dependencies*.
+Maven detection is performed by running `mvn dependency:tree -f {pom.xml}` for each pom file and parsing down the results.
+
+Components tagged as a test dependency are marked as development dependencies.
 
 Full dependency graph generation is supported.
 
 ## Known limitations
-Maven detection will not run if *mvn* is unavailable.
+
+Maven detection will not run if `mvn` is unavailable.
@@ -1,33 +1,37 @@
 # Pip Detection
+
 ## Requirements
+
 Pip detection depends on the following to successfully run:
 
-- Python 2 or Python 3.
-- Internet connection.
-- One or more <em>setup.py</em> or *requirements.txt* files. 
+- Python 2 or Python 3
+- Internet connection
+- One or more `setup.py` or `requirements.txt` files
 
 ## Detection strategy
-Pip detection is performed by running the following code snippet on every <em>setup.py</em>:
+
+Pip detection is performed by running the following code snippet on every *setup.py*:
 
 ```python
     import distutils.core;
     setup = distutils.core.run_setup({setup.py});
     print(setup.install_requires);
 ```
 
-The code above allows Pip detection to detect any runtime dependendies.
+The code above allows Pip detection to detect any runtime dependencies.
 
-*requirements.txt* files are parsed; a Git component is created for every *git+* url.
+`requirements.txt` files are parsed; a Git component is created for every `git+` url.
 
-For every top level component, Pip detection makes http calls to Pip in order to determine latest version available, as well as to resolve the dependency tree by parsing the *METADATA* file on a given release's *bdist_wheel* or *bdist_egg*.
+For every top level component, Pip detection makes http calls to Pip in order to determine latest version available, as well as to resolve the dependency tree by parsing the `METADATA` file on a given release's `bdist_wheel` or `bdist_egg`.
 
 Full dependency graph generation is supported.
 
 ## Known limitations
-*Dev dependency* tagging is not supported.
 
-Pip detection will not run if *python* is unavailable.
+Dev dependency tagging is not supported.
+
+Pip detection will not run if `python` is unavailable.
 
-If no *bdist_wheel* or *bdist_egg* are available for a given component, dependencies will not be fetched.
+If no `bdist_wheel` or `bdist_egg` are available for a given component, dependencies will not be fetched.
 
-If no internet connection or a component cannot be found in Pypi, said component and its dependencies will be skipped.
+If no internet connection or a component cannot be found in Pypi, said component and its dependencies will be skipped.