component-detection icon indicating copy to clipboard operation
component-detection copied to clipboard
verified publisher icon microsoft

No Detector for Scala's SBT (Simple Build Tool)

Open amohan16 opened this issue 1 year ago • 4 comments

Currently today, Component-Detection has no way to scan and detect Scala's .sbt file https://www.scala-sbt.org/ and detect if there are vulnerable libraries being added to the project. The only way for a SBT project to be scanned is to convert .sbt to .pom. This has a limitation of only doing the root project and does not apply to sub projects.

This issue is to start a conversation around if SBT will be a supported detector alongside Maven for Scala projects.

Potential Solution: Similar to how Maven detector analyzes the dependency tree generated from .pom. SBT has their own way to generate the dependency tree by using the SBT shell with command "Compile/dependencyTree" that shows the library dependency tree, including transitive dependencies.

amohan16 avatar Apr 08 '24 22:04 amohan16

I'd be interested in adding support for this, but I don't have a good understanding of how widespread the use of SBT is across the ecosystem. Do you have any metrics on its usage?

We are of course always open to contributions if you are interested in creating the detector following the documentation provided at https://github.com/microsoft/component-detection/blob/main/docs/creating-a-new-detector.md

cobya avatar Apr 18 '24 22:04 cobya

Hi, thanks for the response, much appreciated! I do not have any metrics (nor could find metrics online easily to find Scala projects with SBT). For us, our team uses SBT to build the Scala project, but I think the number might be smaller since Scala projects can use Maven's pom.xml for building.

I am interested in creating a detector. The documentation looks detailed enough that I can take up the task of creating a detector. Let me know if that is ok and if there is a specified process for this repo to do so?

amohan16 avatar Apr 19 '24 01:04 amohan16

@amohan16 we'd love to have you contribute a detector if you are open to helping here. #1110 is an example of a recently created experimental detector. https://github.com/microsoft/component-detection/blob/main/docs/creating-a-new-detector.md should have instructions to follow for setting it up.

If you run into any issues, please let me know and I'd be happy to help.

cobya avatar May 15 '24 19:05 cobya

It was brought to attention through a customer report that building of scala results in pom file being generated and detected by Maven detector of CG. While implementing this, care should be taken to ignore the pom file through maven detection.

RushabhBhansali avatar Sep 28 '24 22:09 RushabhBhansali