Scan unmanaged dependencies for C/C++ applications

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

Proposal

It is common for organizations with a C++ application to have unmanaged dependencies in their source. In other words, their dependencies are not managed by a package manager like Conan (which we support today). Having this ability will provide better coverage across an organization along with an accurate SBOM.

Dependency types in C++

• Static Libraries
• Dynamic Libraries
• Vendor Libraries

Resources:

• https://www.internalpointers.com/post/journey-across-static-dynamic-libraries

Competitive:

• https://fossa.com/blog/how-fossa-addresses-challenges-scanning-c-and-c-code/
• https://docs.snyk.io/scan-application-code/snyk-open-source/snyk-open-source-supported-languages-and-package-managers/snyk-for-c-c++

Open-source scanners:

• Google's OSV Scanner has mentioned making progress on this