For bugs, issues, and support please create an issue.
ComponentDetection is a package scanning tool intended to be used at build time. CD produces a graph-based output of all detected components and supports a variety of open source package ecosystems.
- Feature Overview
- My favorite language/ecosystem isn't supported!
- Building and running Component Detection
- A detector is marked as DefaultOff/Experimental. What does that mean?
- Telemetry
| Ecosystem | Scanning | Graph Creation |
|---|---|---|
| CocoaPods | ✔ | ✔ |
| Linux (Debian, Alpine, Rhel, Centos, Fedora, Ubuntu) | ✔ (via syft) | ❌ |
| Gradle (lockfiles only) | ✔ | ❌ |
| Go | ✔ | ❌ |
| Maven | ✔ | ✔ |
| NPM (including Yarn, Pnpm) | ✔ | ✔ |
| NuGet | ✔ | ✔ |
| Pip (Python) | ✔ | ✔ |
| Poetry (Python, lockfiles only) | ✔ | ❌ |
| Ruby | ✔ | ✔ |
| Rust | ✔ | ✔ |
For a complete feature overview refer to feature-overview.md
Component Detection is built with extensibility in mind! Please see our CONTRIBUTING.md to get started where you can find additional docs on adding your own detector.
.NET Core 3.1 is currently in use, you can install it from https://dotnet.microsoft.com/download/dotnet/3.1
The below commands mirror what we do to setup our CI environments:
From the base folder:
dotnet build
- open ComponentDetection.sln in Visual Studio
- Set the Loader project as the startup project (rightclick-> Set as Startup Project)
- Set Run arguments for the Loader project (rightclick->properties->Debug)
Minimum:scan --SourceDirectory <Repo to scan> - Now, any time you make a change, you can press
F5. This will build the changes, and start the process in debug mode (hitting any breakpoints you set)
If you have access to GitHub Codespaces, select the Code button from the repository homepage then select Open with Codespaces. That's it! You have a full developer environment that supports debugging, testing, auto complete, jump to definition, everything you would expect.
This is similar to Codespaces:
- Make sure you meet the requirements and follow the installation steps for DevContainers in VS Code
git clone https://github.com/microsoft/component-detection- Open this repo in VS Code
- A notification should popup to reopen the workspace in the container. If it doesn't, open the
Command Paletteand typeRemote-Containers: Reopen in Container.
The most basic run:
dotnet run --project src/Microsoft.ComponentDetection scan --SourceDirectory .\
You can add --no-restore or --no-build if you don't want to rebuild before the run
You can add --Debug to get the application to wait for debugger attachment to complete.
Additional arguments for detection can be found in detector arguments
Detectors have 3 levels of "stability":
DefaultOffExperimentalStable
DefaultOff detectors need to be explicitly enabled to run and produce a final graph output. Experimental detectors run by default but will not produce a final graph output. Stable detectors run and produce a final graph output by default. Here is how you can enable default off/experimental detectors.
By default, telemetry will output to your output file path and will be a JSON blob. No data is submitted to Microsoft.
This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact opencode@microsoft.com with any additional questions or comments.
This project may contain trademarks or logos for projects, products, or services. Authorized use of Microsoft trademarks or logos is subject to and must follow Microsoft's Trademark & Brand Guidelines. Use of Microsoft trademarks or logos in modified versions of this project must not cause confusion or imply Microsoft sponsorship. Any use of third-party trademarks or logos are subject to those third-party's policies.