Engineering research - Decide next language to add to Dependency Scanning

Problem to solve

Based on the desire to add support for the following languages

• .Net Framework / Core (NuGet)
• c++
• c
• C#

Please do some research and propose which should be the first to be researched and have a proof of concept done. POC can be either adding support ourselves, or integration of an OSS project

Intended users

• Sasha (Software Developer)
• Sam (Security Analyst)

User experience goal

The same as we have today for DS, just an additional supported language

Proposal

• write down a list of requirements to add support for a new language/package manager
• investigate on implementing Conan support in Gemnasium (C/C++)
• investigate on implementing NuGet support in Gemnasium (.NET, C#)
• implement a PoC, either as part of the Gemnasium analyzer, or using by integrating an existing Open Source tool

Discovery conclusion

Both NuGet and Conan can be supported, at a similar cost.

Conan lock files conan.lock can be supported in Gemnasium. Users need to generate the lock file using conan graph lock, and conan.lock to their repo.

NuGet lock files packages.lock.json can be supported in Gemnasium. Users need to configure their .NET project to enable lock files, and add packages.lock.json to their repo. This feature is available with NuGet 4.9 or above and with Visual Studio 2017 15.9 or above.

Lock file support involves:

• implementing a lock file parser in gemnasium
• adding a test project using this lock, and use it for QA
• updating the list of supported languages and package managers

Dependency file support (as opposed to lock file) could later be implemented by running conan or nuget to generate the lock file before parsing it. This lock file parsers would be reused.

Links / references