-
Notifications
You must be signed in to change notification settings - Fork 39
Developer Overview
Detect is a command line utility that produces a bill of materials for 'any' project. It will automatically find and interrogate the package managers the project uses and run a signature scan on the source code.
Detect creates code locations which are a source of dependencies. Generally a code location is identified by the combination of a folder and a bom tool. A code location consists of an external id and a dependency graph.
There are two ways that detect can create a code location:
- Bom Tool
- Signature Scan
Detect uses bom tools to create code locations in several steps. First it must search the directory structure, though by default it will only search the source directory (search depth = 0). Bom tools are divided into strategies which represent a single flow of bom tool extraction. So NPM is a bom tool, but it has a Lock Bom Tool and a Cli Bom Tool. In the former it will parse the package lock file while in the latter it will invoke the npm cli with list.
The bom tool uses an extractor to actually find the dependencies. Multiple bom tools may use the same extractor.
Finding bom tools occurs over three distinct steps, and for extraction to occur all the following must be true:
- Searchable
- Applicable
- Extractable
While the search system looks for bom tools, each Bom Tool must quickly respond if this bom tool should be considered for a particular directory. Searchable should never throw exceptions and should always respond with a result object that describes the reason it was or was not searchable.
Some reasons a bom tool might not be searchable:
- Should only apply at a certain depth. For example Docker can only apply at depth 0.
- Should not apply if a bom tool applied in a parent directory. Most bom tools
- Should not apply if a particular bom tool already applied.
Finally, once a bom tool has passed the three steps, Extraction can be performed.