Host Vulnerability - Scanning of Language Libraries and Package Managers
How Scanning is Performed
info
Language library and package manager vulnerabilities can only be detected through an Agentless Workload Scanning integration.
Package scanning for programming languages works in a variety of ways:
- By scanning
.lockfiles that are generated by the package managers. - By scanning different binaries that are generated by the package managers.
- By scanning specific files (in specific format) that are generated by package installations.
These files can exist in any path on a host's root or secondary volumes.
Files Scanned
The following table is a breakdown of the types of files and file extensions that are scanned for each programming language (when using Agentless Workload Scanning):
| Language or Package manager | Files scanned |
|---|---|
| Java | *.jar *.war *.ear pom.properties MANIFEST.MF Fat JAR files are also scanned for their dependencies. |
| Ruby | *Gemfile.lock |
| PHP | composer.lock |
| Go | *.sum Any executable binaries built by Go |
| npm | package-lock.json yarn.lock |
| NuGet | packages.lock.json |
| Python | Pipfile.lock poetry.lock *.egg-info/PKG-INFO *.dist-info/METADATA |
| Rust | *Cargo.lock |