Container Vulnerability - Scanning of Language Libraries and Package Managers
How Scanning is Performed
Package scanning for programming languages works in a variety of ways:
- By scanning
.lockfiles that are generated by the package managers. - By scanning different binaries that are generated by the package managers.
- By scanning specific files (in specific format) that are generated by package installations.
These files can exist in any path in a container.
Files Scanned
The files scanned for each supported language library or package manager depends on the type of integration:
Platform, Inline, and Proxy Scanner Assessments
The following table lists the types of files and file extensions that are scanned for each programming language:
| Language or Package manager | Files scanned |
|---|---|
| Java | *.jar *.war *.ear Fat JAR files are also scanned for their dependencies. |
| Ruby | *.gemspec |
| PHP | composer.lock |
| Go | *.sum Any executable binaries built by Go |
| npm | package-lock.json yarn.lock |
| .NET | packages.lock.json |
| Python | Pipfile.lock poetry.lock *.egg-info/PKG-INFO *.dist-info/METADATA |
| Rust | *Cargo.lock |
note
For .NET packages, *.csproj files are not yet supported by Lacework container scanning. These files are used by Microsoft Visual Studio 2017 onwards.
Agentless Workload Scanning Assessments
The following table lists the types of files and file extensions that are scanned for each programming language:
| Language or Package manager | Files scanned |
|---|---|
| Java | *.jar *.war *.ear pom.properties MANIFEST.MF Fat JAR files are also scanned for their dependencies. |
| Ruby | *Gemfile.lock |
| PHP | composer.lock |
| Go | *.sum Any executable binaries built by Go |
| npm | package-lock.json yarn.lock |
| NuGet | packages.lock.json |
| Python | Pipfile.lock poetry.lock *.egg-info/PKG-INFO *.dist-info/METADATA |
| Rust | *Cargo.lock |