SBOM Language and Package Manager Support
Overview
Kscope's Software Bill of Materials (SBOM) service provides comprehensive vulnerability scanning and dependency analysis across multiple programming languages and package managers. The SBOM service supports a wide range of ecosystems and package formats for thorough security analysis.
Supported Languages and Package Managers
| Language/Technology | Package Manager | Supported Files/Formats | Transitive Dependency Support |
|---|---|---|---|
| JavaScript/Node.js | npm, yarn | package-lock.json, yarn.lock | ✓ (package-lock.json only) |
| Python | pip, poetry | requirements.txt, pyproject.toml, wheel, egg | ✓ (requirements.txt only) |
| Go | Go modules | go.mod, Go binaries | ✓ |
| C#/.NET | dotnet | deps.json | ✗ |
| PHP | Composer, PECL, Pear | composer.lock | ✓ |
| Java | Maven, Gradle | jar, ear, war, par, sar, nar, native-image | ✗ |
| Ruby | gem | Gemfile.lock | ✗ |
| Rust | Cargo | cargo.lock, auditable binaries | ✗ |
| Swift | CocoaPods, Swift Package Manager | Podfile.lock, Swift package manifests | ✗ |
| Objective-C | CocoaPods | Podfile.lock | ✗ |
| C/C++ | Conan | Conan manifests | ✗ |
| Dart | pub | pubspec.lock | ✗ |
| Elixir | mix | mix.lock | ✗ |
| Erlang | rebar3 | Rebar lock files | ✗ |
| Haskell | cabal, stack | Cabal files, Stack manifests | ✗ |
System Package Managers
| Distribution/System | Package Manager | Supported Formats |
|---|---|---|
| Alpine Linux | apk | apk packages |
| Debian/Ubuntu | dpkg | dpkg packages |
| Red Hat/CentOS/Fedora | rpm | rpm packages |
| Bitnami | Bitnami | Bitnami packages |
| Nix | Nix | Outputs in /nix/store |
Additional Supported Formats
| Category | Technology | Supported Files |
|---|---|---|
| Infrastructure | Terraform | .terraform.lock.hcl |
| CI/CD | Jenkins | .jpi, .hpi plugins |
| CMS | WordPress | WordPress plugins |
| System | Linux Kernel | vmlinz archives, .ko modules |
Getting Started
To enable SBOM analysis for repositories:
- Ensure repositories contain supported manifest files or package formats
- Configure the relevant blueprint with appropriate permissions (
reposcope) - Monitor results in the Kscope dashboard
For specific configuration details, refer to the relevant blueprint documentation: