Vulnerability scanning
Supported target files for vulnerability scanning by language.
This page lists the target files DeepSource uses for vulnerability scanning in each language. For a conceptual overview, see OSS vulnerability scanning. For setup instructions, see Scan for vulnerabilities.
Supported target files by language
Python
Supported target files:
PipfilePipfile.lockpoetry.lockpyproject.toml(with[tool.poetry]or[tool.flit]section)requirements.txtsetup.pyuv.lock
There are limitations in providing remediation support for Python 3.6 and Python 3.7.
For Python 3.6: Resolution isn't possible because the minimum PIP version compatible with Python 3.6 lacks that functionality. Python 3.6 has reached EOL and support is not planned.
For Python 3.7: Installing PIP within a virtual environment for Python 3.7 is not supported. Python 3.8 and later work without issues.
Go
Supported target files:
go.modgo.sum
JavaScript
Supported target files:
package.jsonpackage-lock.jsonyarn.lockpnpm-lock.yamlbun.lock
Java
Supported target files:
pom.xml(Maven)buildscript-gradle.lockfile(Gradle)gradle.lockfile(Gradle)
Ruby
Supported target files:
GemfileGemfile.lock
Rust
Supported target files:
Cargo.tomlCargo.lock
Kotlin
Supported target files:
pom.xml
C#
Supported target files:
packages.lock.json.csprojfilespackages.config.deps.json
When a .csproj file is provided without a packages.lock.json, DeepSource attempts to generate one using dotnet restore. This requires all dependencies to be publicly accessible. For private dependencies, provide a packages.lock.json file.
Generating a lockfile:
For modern PackageReference-styled projects:
- Enable
RestorePackagesWithLockFilein your.csproj:<PropertyGroup> <RestorePackagesWithLockFile>true</RestorePackagesWithLockFile> </PropertyGroup> - Or use
dotnet restore --use-lock-file
For legacy projects:
- Use
nuget restore packages.config -PackagesDirectory ./packages -UseLockFile
The lockfile must be committed to your repository.
PHP
Supported target files:
composer.jsoncomposer.lock