You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The CBOMkit library implments commonly used functions such as indexing and scanning. Per supported language there is an indexer and a scanner. The indexer walks a given directory tree (e.g., a cloned github repo) and identifies the project modules to be scanned. A project module consists of a set of source files that provide some common functionality and that may be published as an individual software package. The scanner scans the idenified project modules and produces a scan result object that contains the resulting CBOM object and some scanning statistics.
3
+
The CBOMkit library implements commonly used functions such as indexing and scanning source codei for cryptographic assets. Currently we support the programming languages java and python. Per supported language there is an indexer and a scanner. The indexer walks a given directory tree (e.g., a cloned github repo) and identifies the project modules to be scanned. A project module consists of a set of source files that provide some common functionality and that may be published as an individual software package. The scanner scans the idenified project modules and produces a scan result object that contains the resulting CBOM and some scanning statistics.
4
4
5
-
The accuracy of the java scanner depends on the availability of build artifacts such dependency jars and compiled class files. Scanning source code only (no classes, no jars) is disabled by default as it provides the least accurate results. Source-only scanning can be enabled via `JavaScannerService.setBuildRequired(false)`. Class files can be provided via `JavaScannerService.setJavaClassDirs(String dirs)` which takes a comma-seperated list of directory glob patterns. Jars can be set via `JavaScannerService.setJavaDependencyJars(String jars)` which accepts a comma-separated list of glob patterns pointing to either directories or .jar/.zip files.
5
+
### Considerations for Java Scanning
6
+
The accuracy of the java scanner depends on the availability of build artifacts such dependency jars and compiled class files. Scanning source code only (no classes, no jars) is disabled by default as it provides the least accurate results. Source-only scanning can be enabled via [JavaScannerService.setBuildRequired(false)](src/main/java/org/pqca/scanning/java/JavaScannerService.java#L114). Class files can be provided via [JavaScannerService.addJavaClassDir(String dir)](src/main/java/org/pqca/scanning/java/JavaScannerService.java#L104) which takes a comma-seperated list of directory glob patterns. Jars can be set via [JavaScannerService.addJavaDependencyJar(String jar)](src/main/java/org/pqca/scanning/java/JavaScannerService.java#L78) which accepts a comma-separated list of glob patterns pointing to either directories or .jar/.zip files.
0 commit comments