Notes About Ecosystem Support
Code Insight 2021 R2
The following sections provide additional information (such as limitations, requirements, and clarifications) to consider for the various ecosystems supported in the Code Insight Automated Analysis process:
Conda Ecosystems
First level dependencies are supported for index.json, but the semver resolution of version is not yet supported.
Git Ecosystems
Code Insight scans configuration files inside .git folders encountered in a project codebase and uses identified information to create inventory items.
Go Ecosystems
Note the following for Go ecosystems:
|
•
|
A golang project configured with a supported package manager must include a license file to enable Code Insight to discover it as top-level inventory. |
|
•
|
Currently, Code Insight supports the discovery of top-level inventory only in scans of pre-build Artifact source code. |
|
•
|
If the codebase is uploaded from the release section of the VCS repository, Code Insight must use the version in the name of the project’s parent folder as the version in the top-level inventory name. Any changes to the version in the parent folder name can result in the wrong version being reported in the inventory. |
NPM Ecosystems
Note the following for NPM ecosystems:
|
•
|
Code Insight provides scan support for package.json alone or for package.json with either package-lock.json or npm-shrinkwrap.json. |
|
•
|
The package-lock.json or npm-shrinkwrap.json file is scanned only if it co-exists with package.json. (The package.json file contains the component and dependency data. The package-lock.json or npm-shrinkwrap.json file is used to identify the exact dependency versions for components that Code Insight should pull from package.json.) |
|
•
|
If both package-lock.json or npm-shrinkwrap.json are present with package.json, Code Insight scans npm-shrinkwrap (along with package.json) and ignores package-lock.json. |
PyPI Ecosystems
Code Insight supports the discovery of top-level inventory and direct dependencies for both pre-build and post-build artifacts of a Python project. Pre-build artifacts include source packages, such as tar.gz, .zip, and other such files. Post-build artifacts are binary packages such as .whl files.
Direct dependencies for the pre-build artifacts are retrieved from the requirements.txt file, as long as PKG-INFO or setup.py reside in the same directory as requirements.txt. (PKG-INFO or setup.py is needed to determine the top-level inventory to which the direct dependencies are associated.) In the absence of requirements.txt, the dependencies are reported from install_requires section in the setup.py file.
Ruby Ecosystems
Note the following for Ruby ecosystems:
|
•
|
For RubyGem projects, Code Insight shows all platform-related dependencies and those dependencies that are not part of a “test” or “dev” group as inventory. Any gems identified as “dev” or “test” are not considered for inventory. |
|
•
|
Only SemVer expressions in the major.minor.patch format are supported to resolve dependencies listed in the manifest file. |
Yarn Ecosystems
Note the following for Yarn ecosystems:
|
•
|
Code Insight provides scan support for package.json alone or for package.json with the yarn.lock file. |
|
•
|
The scan yarn.lock file is scanned only if it co-exists with package.json. (The package.json file contains the component and dependency data. The yarn.lock file is used to identify the exact dependency versions for components that Code Insight should pull from package.json.) |
Yocto Ecosystems
Code Insight parses a .bb file only if it contains an SRC_URI property value that starts with git:// or https://. If the SRC_URI property contains more than one URI, only the first supported URI is considered.