@@ -49,27 +49,266 @@ If you have need of this, please explain why by filling out the survey [here](ht
## Supported languages and package managers
GitLab relies on [`rules`](../../../ci/yaml/index.md#rules) to start relevant analyzers depending on the languages detected in the repository.
The current detection logic limits the maximum search depth to two levels. For example, the `gemnasium-dependency_scanning` job is enabled if a repository contains either a `Gemfile` or `api/Gemfile` file, but not if the only supported dependency file is `api/client/Gemfile`.
The following languages and dependency managers are supported:
### Notes regarding supported languages and package managers
1. The presence of a `Pipfile.lock` file alone will _not_ trigger the analyzer; the presence of a `Pipfile` is still required in order
for the analyzer to be executed. However, if a `Pipfile.lock` file is found, it will be used by `Gemnasium` to scan the exact package
versions listed in this file.
Support for `Pipfile.lock` files without requiring the presence of a `Pipfile` will be implemented in the following upcoming issue:
[Dependency Scanning of Pipfile.lock without installing project dependencies](https://gitlab.com/gitlab-org/gitlab/-/issues/299294).
1. Support for [sbt](https://www.scala-sbt.org/) 1.3 and above was added in GitLab 13.9.
### How analyzers are triggered
GitLab relies on [`rules:exists`](../../../ci/yaml/index.md#rulesexists) to start the relevant analyzers for the languages detected by the presence of the
`Supported files` in the repository as shown in the [table above](#supported-languages-and-package-managers).
The current detection logic limits the maximum search depth to two levels. For example, the `gemnasium-dependency_scanning` job is enabled if
a repository contains either a `Gemfile.lock` or `api/Gemfile.lock` file, but not if the only supported dependency file is `api/client/Gemfile.lock`.
### How multiple files are processed
NOTE:
If you've run into problems while scanning multiple files, please contribute a comment to
Does not support multiple lockfiles. When multiple lockfiles exist, `bundler-audit`
analyzes the first lockfile discovered while traversing the directory tree in alphabetical order.
We execute both analyzers because they use different sources of vulnerability data. The result is more comprehensive analysis than if only one was executed.
#### Python
We only execute one build in the directory where a requirements file has been detected, such as `requirements.txt` or any
variation of this file (for example, `requirements.pip` or `requires.txt`).
#### Java and Scala
We only execute one build in the directory where a build file has been detected, such as `build.sbt` or `build.gradle`.
Please note, we support the following types of Java project stuctures:
Does not support multiple lockfiles. When multiple lockfiles exist, `Retire.js`
analyzes the first lockfile discovered while traversing the directory tree in alphabetical order.
We execute both analyzers because they use different sources of vulnerability data. The result is more comprehensive analysis than if only one was executed.
#### PHP, Go, C, C++, .NET, C#
The analyzer for these languages supports multiple lockfiles.
### Future support for additional languages
Plans are underway for supporting the following languages, dependency managers, and dependency files. For details, see the issue link for each.
For workarounds, see the [Troubleshooting section](#troubleshooting)