Supported Languages and Package Managers

Checkmarx analyzes the open sources using the following methods:

  • Analyzes the open source third parties themselves, supported in the languages list below.

  • Analyzes the project manifest files by resolving their dependencies against customer-defined or public repositories.

If you are using CxSCA Resolver then you need to install the relevant package managers locally. For installation info, see CxSCA Resolver Package Manager Support.

The following open source code languages and package managers can be analyzed using CxSCA:

Ecosystem/ Platform

Language/ Framework

Package Manager

Manifest Files

(Packages marked with are required)

Repository

File Types
Detected by fingerprint (SHA-1)

Ecosystem/ Platform

Language/ Framework

Package Manager

Manifest Files

(Packages marked with are required)

Repository

File Types
Detected by fingerprint (SHA-1)

JVM based

  • Java

  • Kotlin

  • Android

  • Groovy

  • Struts

  • Tomcat

  • Spring

  • Maven

  • Gradle

  • Maven: pom.xml

  • Gradle: build.gradle , build.gradle.kts

 

Central Repository

 

 

 

.jar

  • Scala

  • SBT

build.sbt

 

  • Javascript

  • TypeScript

  • React

  • Angular

  • NPM

  • Yarn

  • Bower

  • NPM: package.json , package-lock.json

  • Yarn: package.json , yarn.lock

  • Bower: bower.json

NPM

 

 

.js

 

 

 

 

  • C#

  • F#

  • .NET

  • .NET Core

  • WCF

  • WPF

  • ASP.NET

 

 

NuGet

 

 

*.csproj , packages.config

 

 

NuGet

 

 

.dll

 

  • Python

  • Django

  • Flask

PIP

requirements.txt, requirements-*.txt, requirement.txt, requirement-*.txt

PyPI

 

  • PHP

  • Drupal

Composer

composer.json , composer.lock

Packagist

 

 

  • Swift

  • Objective c

  • Carthage

  • SwiftPm

  • CocoaPods

  • Carthage: Cartfile, Cartfile.private, Cartfile.resolved
    note At least one .private or .resolved file must be included.

  • SwiftPm: Package.swift

  • CocoaPods: Podfile, Podfile.lock

GitHub

none

 

Go1

GoMudules

go.mod, go.sum

Golang

none

1] Go is only supported when using CxSCA Resolver, see https://checkmarx.atlassian.net/wiki/spaces/CD/pages/1975713967/CxSCA+Resolver+Package+Manager+Support#Go-Support-in-CxSCA.