Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

No Detector for Scala's SBT (Simple Build Tool) #1057

Open
amohan16 opened this issue Apr 8, 2024 · 4 comments
Open

No Detector for Scala's SBT (Simple Build Tool) #1057

amohan16 opened this issue Apr 8, 2024 · 4 comments
Labels
detector:maven The Maven detector status:requirements Full requirements are not yet known, so implementation should not be started type:feature Feature (new functionality)

Comments

@amohan16
Copy link

amohan16 commented Apr 8, 2024
edited
Loading

Currently today, Component-Detection has no way to scan and detect Scala's .sbt file https://www.scala-sbt.org/ and detect if there are vulnerable libraries being added to the project. The only way for a SBT project to be scanned is to convert .sbt to .pom. This has a limitation of only doing the root project and does not apply to sub projects.

This issue is to start a conversation around if SBT will be a supported detector alongside Maven for Scala projects.

Potential Solution:
Similar to how Maven detector analyzes the dependency tree generated from .pom. SBT has their own way to generate the dependency tree by using the SBT shell with command "Compile/dependencyTree" that shows the library dependency tree, including transitive dependencies.
@cobya cobya added status:requirements Full requirements are not yet known, so implementation should not be started type:feature Feature (new functionality) detector:maven The Maven detector labels Apr 18, 2024
@cobya
Copy link
Contributor

cobya commented Apr 18, 2024

I'd be interested in adding support for this, but I don't have a good understanding of how widespread the use of SBT is across the ecosystem. Do you have any metrics on its usage?

We are of course always open to contributions if you are interested in creating the detector following the documentation provided at https://github.com/microsoft/component-detection/blob/main/docs/creating-a-new-detector.md

@amohan16
Copy link
Author

Hi, thanks for the response, much appreciated!
I do not have any metrics (nor could find metrics online easily to find Scala projects with SBT). For us, our team uses SBT to build the Scala project, but I think the number might be smaller since Scala projects can use Maven's pom.xml for building.

I am interested in creating a detector. The documentation looks detailed enough that I can take up the task of creating a detector. Let me know if that is ok and if there is a specified process for this repo to do so?

@cobya
Copy link
Contributor

cobya commented May 15, 2024

@amohan16 we'd love to have you contribute a detector if you are open to helping here. #1110 is an example of a recently created experimental detector. https://github.com/microsoft/component-detection/blob/main/docs/creating-a-new-detector.md should have instructions to follow for setting it up.

If you run into any issues, please let me know and I'd be happy to help.

@RushabhBhansali
Copy link
Contributor

RushabhBhansali commented Sep 28, 2024
edited
Loading

It was brought to attention through a customer report that building of scala results in pom file being generated and detected by Maven detector of CG. While implementing this, care should be taken to ignore the pom file through maven detection.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
detector:maven The Maven detector status:requirements Full requirements are not yet known, so implementation should not be started type:feature Feature (new functionality)
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@cobya @RushabhBhansali @amohan16