Open amohan16 opened 3 months ago
cobya
commented
2 months ago I'd be interested in adding support for this, but I don't have a good understanding of how widespread the use of SBT is across the ecosystem. Do you have any metrics on its usage?
We are of course always open to contributions if you are interested in creating the detector following the documentation provided at https://github.com/microsoft/component-detection/blob/main/docs/creating-a-new-detector.md
amohan16
commented
2 months ago Hi, thanks for the response, much appreciated! I do not have any metrics (nor could find metrics online easily to find Scala projects with SBT). For us, our team uses SBT to build the Scala project, but I think the number might be smaller since Scala projects can use Maven's pom.xml for building.
I am interested in creating a detector. The documentation looks detailed enough that I can take up the task of creating a detector. Let me know if that is ok and if there is a specified process for this repo to do so?
cobya
commented
1 month ago @amohan16 we'd love to have you contribute a detector if you are open to helping here. #1110 is an example of a recently created experimental detector. https://github.com/microsoft/component-detection/blob/main/docs/creating-a-new-detector.md should have instructions to follow for setting it up.
If you run into any issues, please let me know and I'd be happy to help.
Currently today, Component-Detection has no way to scan and detect Scala's .sbt file https://www.scala-sbt.org/ and detect if there are vulnerable libraries being added to the project. The only way for a SBT project to be scanned is to convert .sbt to .pom. This has a limitation of only doing the root project and does not apply to sub projects.
This issue is to start a conversation around if SBT will be a supported detector alongside Maven for Scala projects.
Potential Solution: Similar to how Maven detector analyzes the dependency tree generated from .pom. SBT has their own way to generate the dependency tree by using the SBT shell with command "Compile/dependencyTree" that shows the library dependency tree, including transitive dependencies.