Amazon Inspector SBOM Generator comprehensive dependency collection - Amazon Inspector
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon Inspector SBOM Generator comprehensive dependency collection

The Amazon Inspector SBOM Generator supports different programming languages and frameworks, which make up a robust and detailed collection of dependencies. Generating an SBOM helps you understand the composition of your software, so you can identify vulnerabilities and maintain compliance with security standards. The Amazon Inspector SBOM Generator supports the following programming languages and file formats.

Go dependency scanning

Programming language Package manager Supported artifacts Toolchain support Development dependencies Transitive dependencies Private flag Recursively
Go Go

go.mod

go.sum

Go Binaries

GOMODCACHE

N/A

N/A

Yes

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

Yes

Yes

Yes

No

go.mod/go.sum

Use go.mod and go.sum files to define and lock dependencies in Go projects. The Amazon Inspector SBOM Generator manages these files differently based on the Go toolchain version.

Key features
  • Collects dependencies from go.mod (if the Go toolchain version is 1.17 or higher)

  • Collects dependencies from go.sum (if the Go toolchain version is 1.17 or lower)

  • Parses go.mod to identify all declared dependencies and dependency versions

Example go.mod file

The following is an example of go.mod file.

module example.com/project go 1.17 require ( github.com/gin-gonic/gin v1.7.2 golang.org/x/crypto v0.0.0-20210616213533-5cf6c0f8e123 )
Example go.sum file

The following is an example of go.sum file.

github.com/gin-gonic/gin v1.7.2 h1:VZ7DdRl0sghbA6lVGSkX+UXO2+J0aH7RbsNugG+FA8Q= github.com/gin-gonic/gin v1.7.2/go.mod h1:ILZ1Ngh2f1pL1ASUj7gGk8lGFeNC8cRTaN2ZhsBNbXU= golang.org/x/crypto v0.0.0-20210616213533-5cf6c0f8e123 h1:b6rCu+qHze+BUsmC3CZzH8aNu8LzPZTVsNTo64OypSc= golang.org/x/crypto v0.0.0-20210616213533-5cf6c0f8e123/go.mod h1:K5Dkpb0Q4ewZW/EzWlQphgJcUMBCzoWrLfDOVzpTGVQ=
Note

Each of these files produces an output that contains a package URL. This URL can be used to specify information about software packages when generating a software bill of materials and can be included in the ScanSbom API. For more information, see package-url on the GitHub Website.

Go Binaries

The Amazon Inspector SBOM Generator extracts dependencies from compiled Go binaries to provide assurance about the code in use.

Key features
  • Extracts dependency information directly from Go binaries

  • Collects dependencies embedded within the binary

  • Detects and extracts the Go toolchain version used for compiling the binary.

GOMODCACHE

The Amazon Inspector SBOM Generator scans the Go module cache to collect information about installed dependencies. This cache stores downloaded modules to make sure the same versions are used across different builds.

Key features
  • Scans the GOMODCACHE directory to identify cached modules

  • Extracts detailed metadata, including module names, versions, and source URLs

Example structure

The following is an example of the GOMODCACHE structure.

~/go/pkg/mod/ ├── github.com/gin-gonic/gin@v1.7.2 ├── golang.org/x/crypto@v0.0.0-20210616213533-5cf6c0f8e123
Note

This structure produces an output that contains a package URL. This URL can be used to specify information about software packages when generating a software bill of materials and can be included in the ScanSbom API. For more information, see package-url on the GitHub Website.

Java dependency scanning

Programming language Package manager Supported artifacts Toolchain support Development dependencies Transitive dependencies Private flag Recursively
Java Maven

.jar/.war/.ear SHA1 hash collection

pom.properties

pom.xml

N/A

N/A

N/A

N/A

N/A

N/A

Yes

N/A

N/A

N/A

N/A

N/A

Yes

Yes

Yes

SHA–1 hash collection (for compiled .jar, .war, .ear files)

The Amazon Inspector SBOM Generator tries to collect SHA–1 hashes for all .ear, .jar, and .war files in a project to guarantee the integrity and traceability of compiled Java artifacts.

Key features
  • Generates SHA–1 hashes for all compiled Java artifacts

Example artifact

The following is an example of an SHA–1 artifact.

{ "bom-ref": "comp-52", "type": "library", "name": "jul-to-slf4j", "version": "2.0.6", "hashes": [ { "alg": "SHA-1", "content": "" } ], "purl": "pkg:maven/jul-to-slf4j@2.0.6", "properties": [ { "name": "amazon:inspector:sbom_generator:source_path", "value": "test-0.0.1-SNAPSHOT.jar/BOOT-INF/lib/jul-to-slf4j-2.0.6.jar" } ] }
Note

This artifact produces an output that contains a package URL. This URL can be used to specify information about software packages when generating a software bill of materials and can be included in the ScanSbom API. For more information, see package-url on the GitHub Website.

pom.properties

The pom.properties file is used in Maven projects to store project metadata, including package names and package versions. The Amazon Inspector SBOM Generator parses this file to collect project information.

Key features
  • Parses and extracts package artifacts, package groups, and package versions

Example pom.properties file

The following is an example of a pom.properties file.

#Generated by Maven #Tue Mar 16 15:44:02 UTC 2021 version=1.6.0 groupId=net.datafaker artifactId=datafaker
Note

This file produces an output that contains a package URL. This URL can be used to specify information about software packages when generating a software bill of materials and can be included in the ScanSbom API. For more information, see package-url on the GitHub Website.

pom.xml

The pom.xml file is the core configuration file for Maven projects. It contains information about projects and project dependencies. When no compiled .jar is provided, the Amazon Inspector SBOM Generator reverts to parsing the pom.xml file to resolve and collect dependencies.

Key features
  • Parses and extracts package artifacts, package groups, and package versions from pom.xml files.

Supported Maven scopes

Dependencies are collected with the following Maven scopes:

  • compile

  • provided

  • runtime

  • test

  • system

  • import

Example pom.xml file with a scope

The following is an example of a pom.xml file with a scope.

<dependency> <groupId>jakarta.servlet</groupId> <artifactId>jakarta.servlet-api</artifactId> </version>6.0.0</version> <scope>provided</scope> </dependency> <dependency> <groupId>mysql</groupId> <artifactId>mysql-connector-java</artifactId> <version>8.0.28</version> <scope>runtime</scope> </dependency>
Example pom.xml file without a scope

The following is an example of a pom.xml file without a scope.

<dependency> <groupId>com.fasterxml.jackson.core</groupId> <artifactId>jackson-databind</artifactId> <version>2.17.1</version> </dependency> <dependency> <groupId>org.jenkins-ci.plugins</groupId> <artifactId>plain-credentials</artifactId> <version>183.va_de8f1dd5a_2b_</version> </dependency> <dependency> <groupId>org.jenkins-ci.plugins</groupId> <artifactId>jackson2-api</artifactId> <version>2.15.2-350.v0c2f3f8fc595</version> </dependency>
Note

Each of these files produces an output that contains a package URL. This URL can be used to specify information about software packages when generating a software bill of materials and can be included in the ScanSbom API. For more information, see package-url on the GitHub Website.

JavaScript dependency scanning

Programming language Package manager Supported artifacts Toolchain support Development dependencies Transitive dependencies Private flag Recursively
Javascript

Node Modules

NPM

PNPM

YARN

node_modules/*/package.json

root package-lock.json (v1, v2, and v3) / root npm-shrinkwrap.json

root pnpm-lock.yaml

root yarn.lock

N/A

N/A

N/A

N/A

N/A

Yes

Yes

Yes

N/A

Yes

N/A

N/A

N/A

Yes

N/A

N/A

N/A

Yes

No

No

No

package.json

The package.json file is a core component of Node.js projects. It contains metadata about installed packages. The Amazon Inspector SBOM Generator scans this file to identify package names and package versions.

Key features
  • Parses the JSON file structure to extract package names and versions

  • Identifies private packages with private values

Example package.json file

The following is an example of a package.json file.

{ "name": "arrify", "private": true, "version": "2.0.1", "description": "Convert a value to an array", "license": "MIT", "repository": "sindresorhus/arrify" }
Note

This file produces an output that contains a package URL. This URL can be used to specify information about software packages when generating a software bill of materials and can be included in the ScanSbom API. For more information, see package-url on the GitHub Website.

root package-lock.json

The package-lock.json file is automatically generated by npm to lock exact versions of dependencies installed for a project. It ensures consistency in environments by storing exact versions of all dependencies and their sub-dependencies. This file can distinguish between regular dependencies and development dependencies.

Key features
  • Parses the JSON file structure to extract package names and package versions

  • Supports dev dependency detection

Example package-lock.json file

The following is an example of a package-lock.json file.

"verror": { "version": "1.10.0", "resolved": "https://registry.npmjs.org/verror/-/verror-1.10.0.tgz", "integrity": "sha1-OhBcoXBTr1XW4nDB+CiGguGNpAA=", "requires": { "assert-plus": "^1.0.0", "core-util-is": "1.0.2", "extsprintf": "^1.2.0" } }, "wrappy": { "version": "1.0.2", "resolved": "https://registry.npmjs.org/wrappy/-/wrappy-1.0.2.tgz", "integrity": "sha1-tSQ9jz7BqjXxNkYFvA0QNuMKtp8=", "dev": true }, "yallist": { "version": "3.0.2", "resolved": "https://registry.npmjs.org/yallist/-/yallist-3.0.2.tgz", "integrity": "sha1-hFK0u36Dx8GI2AQcGoN8dz1ti7k=" }
Note

This file produces an output that contains a package URL. This URL can be used to specify information about software packages when generating a software bill of materials and can be included in the ScanSbom API. For more information, see package-url on the GitHub Website.

root npm-shrinkwrap.json

npm automatically generatespackage-lock.json and npm-shrinkwrap.json files to lock exact versions of dependencies installed for a project. This guarantees consistency in environments by storing exact versions of all dependencies and sub-dependencies. The files distinguish between regular dependencies and development dependencies.

Key features
  • Parse package-lock versions 1 ,2, and 3 of the JSON file structure to extract the package name and version

  • Developer dependency detection is supported (package-lock.json captures production and development dependencies, allowing tools to identify which packages are used in development environments)

  • The npm-shrinkwrap.json file is prioritized over the package-lock.json file

Example

The following is an example of a package-lock.json file.

"verror": { "version": "1.10.0", "resolved": "https://registry.npmjs.org/verror/-/verror-1.10.0.tgz", "integrity": "sha1-OhBcoXBTr1XW4nDB+CiGguGNpAA=", "requires": { "assert-plus": "^1.0.0", "core-util-is": "1.0.2", "extsprintf": "^1.2.0" } }, "wrappy": { "version": "1.0.2", "resolved": "https://registry.npmjs.org/wrappy/-/wrappy-1.0.2.tgz", "integrity": "sha1-tSQ9jz7BqjXxNkYFvA0QNuMKtp8=", "dev": true }, "yallist": { "version": "3.0.2", "resolved": "https://registry.npmjs.org/yallist/-/yallist-3.0.2.tgz", "integrity": "sha1-hFK0u36Dx8GI2AQcGoN8dz1ti7k=" }

root pnpm-yaml.lock

The pnpm-lock.yaml file is generated by pnpm to maintain a record of installed dependency versions. It also tracks development dependencies separately.

Key features
  • Parses the YAML file structure to extract package names and versions

  • Supports dev dependency detection

Example

The following is an example of a pnpm-lock.yaml file.

lockfileVersion: 5.3 importers: my-project: dependencies: lodash: 4.17.21 devDependencies: jest: 26.6.3 specifiers: lodash: ^4.17.21 jest: ^26.6.3 packages: /lodash/4.17.21: resolution: integrity: sha512-xyz engines: node: '>=6' dev: false /jest/26.6.3: resolution: integrity: sha512-xyz dev: true
Note

This file produces an output that contains a package URL. This URL can be used to specify information about software packages when generating a software bill of materials and can be included in the ScanSbom API. For more information, see package-url on the GitHub Website.

root yarn.lock

The Amazon Inspector SBOM Generator tries to collect SHA–1 hashes for .ear, .jar, and .war files in a project to guarantee the integrity and traceability of compiled Java artifacts.

Key features
  • Generates SHA–1 hashes for all compiled Java artifacts

Example SHA–1 artifact

The following is an example of an SHA–1 artifact.

"@ampproject/remapping@npm:^2.2.0": version: 2.2.0 resolution: "@ampproject/remapping@npm:2.2.0" dependencies: "@jridgewell/gen-mapping": ^0.1.0 "@jridgewell/trace-mapping": ^0.3.9 checksum: d74d170d06468913921d72430259424b7e4c826b5a7d39ff839a29d547efb97dc577caa8ba3fb5cf023624e9af9d09651afc3d4112a45e2050328abc9b3a2292 languageName: node linkType: hard "@babel/code-frame@npm:^7.0.0, @babel/code-frame@npm:^7.12.13, @babel/code-frame@npm:^7.18.6, @babel/code-frame@npm:^7.21.4": version: 7.21.4 resolution: "@babel/code-frame@npm:7.21.4" dependencies: "@babel/highlight": ^7.18.6 checksum: e5390e6ec1ac58dcef01d4f18eaf1fd2f1325528661ff6d4a5de8979588b9f5a8e852a54a91b923846f7a5c681b217f0a45c2524eb9560553160cd963b7d592c languageName: node linkType: hard
Note

This artifact produces an output that contains a package URL. This URL can be used to specify information about software packages when generating a software bill of materials and can be included in the ScanSbom API. For more information, see package-url on the GitHub Website.

.NET dependency scanning

Programming language Package manager Supported artifacts Toolchain support Development dependencies Transitive dependencies Private flag Recursively
.NET

.NET Core

Nuget

Nuget

.NET

*.deps.json

Packages.config

packages.lock.json

.csproj

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

Yes

N/A

N/A

N/A

N/A

N/A

Yes

Yes

Yes

Yes

Packages.config

The Packages.config file is an XML file used by an older version of Nuget to manage project dependencies. It lists all the packages referenced by the project, including specific versions.

Key features
  • Parses XML structure to extract package IDs and versions

Example

The following is an example of a Packages.config file.

<?xml version="1.0" encoding="utf-8"? > <packages> <package id="FluentAssertions" version="5.4.1" targetFramework="net461" /> <package id="Newtonsoft.Json" version="11.0.2" targetFramework="net461" /> <package id="SpecFlow" version="2.4.0" targetFramework="net461" /> <package id="SpecRun.Runner" version="1.8.0" targetFramework="net461" /> <package id="SpecRun.SpecFlow" version="1.8.0" targetFramework="net461" /> <package id="SpecRun.SpecFlow.2-4-0" version="1.8.0" targetFramework="net461" /> <package id="System.ValueTuple" version="4.5.0" targetFramework="net461" /> </packages>
Note

This file produces an output that contains a package URL. This URL can be used to specify information about software packages when generating a software bill of materials and can be included in the ScanSbom API. For more information, see package-url on the GitHub Website.

*.deps.json

The *.deps.json file is generated by .NET Core projects and contains detailed information about all dependencies, including paths, versions, and runtime dependencies. This file makes sure the runtime has necessary information to load correct versions of dependencies.

Key features
  • Parses the JSON structure for comprehensive dependency details

  • Extracts package names and versions in a libraries list.

Example .deps.json file

The following is an example of a .deps.json file.

{ "runtimeTarget": { "name": ".NETCoreApp,Version=v7.0", "signature": "" }, "libraries": { "sample-Nuget/1.0.0": { "type": "project", "serviceable": false, "sha512": "" }, "Microsoft.EntityFrameworkCore/7.0.5": { "type": "package", "serviceable": true, "sha512": "sha512-RXbRLHHWP2Z3pq8qcL5nQ6LPeoOyp8hasM5bd0Te8PiQi3RjWQR4tcbdY5XMqQ+oTO9wA8/RLhZRn/hnxlTDnQ==", "path": "microsoft.entityframeworkcore/7.0.5", "hashPath": "microsoft.entityframeworkcore.7.0.5.nupkg.sha512" }, }
Note

This file produces an output that contains a package URL. This URL can be used to specify information about software packages when generating a software bill of materials and can be included in the ScanSbom API. For more information, see package-url on the GitHub Website.

packages.lock.json

The packages.lock.json file is used by newer versions of Nuget to lock exact versions of dependencies for a .NET project to guarantee the same versions are used consistently across different environments.

Key features
  • Parses the JSON structure to list locked dependencies

  • Supports both direct and transitive dependencies

  • Extracts package name and resolved versions

Example packages.lock.json file

The following is an example of a packages.lock.json file.

{ "version": 1, "dependencies": { "net7.0": { "Microsoft.EntityFrameworkCore": { "type": "Direct", "requested": "[7.0.5, )", "resolved": "7.0.5", "contentHash": "RXbRLHHWP2Z3pq8qcL5nQ6LPeoOyp8hasM5bd0Te8PiQi3RjWQR4tcbdY5XMqQ+oTO9wA8/RLhZRn/hnxlTDnQ==", "dependencies": { "Microsoft.EntityFrameworkCore.Abstractions": "7.0.5", "Microsoft.EntityFrameworkCore.Analyzers": "7.0.5", "Microsoft.Extensions.Caching.Memory": "7.0.0", "Microsoft.Extensions.DependencyInjection": "7.0.0", "Microsoft.Extensions.Logging": "7.0.0" } }, "Newtonsoft.Json": { "type": "Direct", "requested": "[13.0.3, )", "resolved": "13.0.3", "contentHash": "HrC5BXdl00IP9zeV+0Z848QWPAoCr9P3bDEZguI+gkLcBKAOxix/tLEAAHC+UvDNPv4a2d18lOReHMOagPa+zQ==" }, "Microsoft.Extensions.Primitives": { "type": "Transitive", "resolved": "7.0.0", "contentHash": "um1KU5kxcRp3CNuI8o/GrZtD4AIOXDk+RLsytjZ9QPok3ttLUelLKpilVPuaFT3TFjOhSibUAso0odbOaCDj3Q==" } } } }
Note

This file produces an output that contains a package URL. This URL can be used to specify information about software packages when generating a software bill of materials and can be included in the ScanSbom API. For more information, see package-url on the GitHub Website.

.csproj

The .csproj file is written in XML and the project file for .NET projects. It includes references to Nuget packages, project properties, and build configurations.

Key features
  • Parses XML the structure to extract package references

Example .csproj file

The following is an example of a .csproj file.

<Project Sdk="Microsoft.NET.Sdk"> <PropertyGroup> <TargetFramework>net7.0</TargetFramework> <RootNamespace>sample_Nuget</RootNamespace> <ImplicitUsings>enable</ImplicitUsings> <Nullable>enable</Nullable> <RestorePackagesWithLockFile>true</RestorePackagesWithLockFile> </PropertyGroup> <ItemGroup> </ItemGroup> <ItemGroup> <PackageReference Include="Newtonsoft.Json" Version="13.0.3" /> <PackageReference Include="Microsoft.EntityFrameworkCore" Version="7.0.5" /> </ItemGroup> </Project>
Example .csproj file

The following is an example of a .csproj file.

<PackageReference Include="ExamplePackage" Version="6.*" /> <PackageReferencePackageReference Include="ExamplePackage" Version="(4.1.3,)" /> <PackageReference Include="ExamplePackage" Version="(,5.0)" /> <PackageReference Include="ExamplePackage" Version="[1,3)" /> <PackageReference Include="ExamplePackage" Version="[1.3.2,1.5)" />
Note

Each of these files produces an output that contains a package URL. This URL can be used to specify information about software packages when generating a software bill of materials and can be included in the ScanSbom API. For more information, see package-url on the GitHub Website.

PHP dependency scanning

Programming language Package manager Supported artifacts Toolchain support Development dependencies Transitive dependencies Private flag Recursively
PHP Composer

composer.lock

/vendor/composer/installed.json

N/A

N/A

N/A

N/A

Yes

Yes

N/A

N/A

Yes

Yes

composer.lock

The composer.lock file is automatically generated when running the composer install or composer update commands. This file guarantees the same versions of dependencies are installed in every environment. This provides a consistent and reliable build process.

Key features
  • Parses the JSON format for structured data

  • Extracts dependency names and versions

Example composer.lock file

The following is an example of a composer.lock file.

{ "packages": [ { "name": "nesbot/carbon", "version": "2.53.1", // TRUNCATED }, { "name": "symfony/deprecation-contracts", "version": "v3.2.1", // TRUNCATED }, { "name": "symfony/polyfill-mbstring", "version": "v1.27.0", // TRUNCATED } ] // TRUNCATED }
Note

This produces an output that contains a package URL. This URL can be used to specify information about software packages when generating a software bill of materials and can be included in the ScanSbom API. For more information, see package-url on the GitHub Website.

/vendor/composer/installed.json

The /vendor/composer/installed.json file is located in the vendor/composer directory and provides a comprehensive list of all installed packages and package versions.

Key features
  • Parses the JSON format for structured data

  • Extracts dependency names and version

Example /vendor/composer/installed.json file

The following is an example of a /vendor/composer/installed.json file.

{ "packages": [ { "name": "nesbot/carbon", "version": "2.53.1", // TRUNCATED }, { "name": "symfony/deprecation-contracts", "version": "v3.2.1", // TRUNCATED }, { "name": "symfony/polyfill-mbstring", "version": "v1.27.0", // TRUNCATED } ] // TRUNCATED }
Note

This file produces an output that contains a package URL. This URL can be used to specify information about software packages when generating a software bill of materials and can be included in the ScanSbom API. For more information, see package-url on the GitHub Website.

Python dependency scanning

Programming language Package manager Supported artifacts Toolchain support Development dependencies Transitive dependencies Private flag Recursively
Python

pip

Poetry

Pipenv

Egg/Wheel

requirements.txt

Poetry.lock

Pipfile.lock

.egg-info/PKG-INFO

.dist-info/METADATA

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

N/A

Yes

Yes

Yes

Yes

Yes

requirements.txt

The requirements.txt file is a widely used format in Python projects to specify project dependencies. Each line in this file includes a package with its version constraints. The Amazon Inspector SBOM Generator parses this file to identify and catalog dependencies accurately.

Key features
  • Supports version specifiers (== and ˜=)

  • Supports comments and complex dependency lines

Note

The version specifiers <= and => aren't supported.

Example requirements.txt file

The following is an example of a requirements.txt file.

flask==1.1.2 requests==2.24.0 numpy==1.18.5 foo~=1.2.0 # Comment about a dependency scipy. # invalid
Note

This file produces an output that contains a package URL. This URL can be used to specify information about software packages when generating a software bill of materials and can be included in the ScanSbom API. For more information, see package-url on the GitHub Website.

Pipfile.lock

Pipenv is a tool bringing the best of all packaging worlds (bundled, pinned, and unpinned). The Pipfile.lock locks exact versions of dependencies to facilitate deterministic builds. The Amazon Inspector SBOM Generator reads this file to list dependencies and their resolved versions.

Key features
  • Parses the JSON format for dependency resolution

  • Supports default and development dependencies

Example Pipfile.lock file

The following is an example of a Pipfile.lock file.

{ "default": { "requests": { "version": "==2.24.0", "hashes": [ "sha256:cc718bb187e53b8d" ] } }, "develop": { "blinker": { "hashes": [ "sha256:1779309f71bf239144b9399d06ae925637cf6634cf6bd131104184531bf67c01", "sha256:8f77b09d3bf7c795e969e9486f39c2c5e9c39d4ee07424be2bc594ece9642d83" ], "markers": "python_version >= '3.8'", "version": "==1.8.2" } } }
Note

This file produces an output that contains a package URL. This URL can be used to specify information about software packages when generating a software bill of materials and can be included in the ScanSbom API. For more information, see package-url on the GitHub Website.

Poetry.lock

Poetry is a dependency management and packaging tool for Python. The Poetry.lock file locks exact versions of dependencies to facilitate consistent environments. The Amazon Inspector SBOM Generator extracts detailed dependency information from this file.

Key features
  • Parses the TOML format for structured data

  • Extracts dependency names, and versions

Example Poetry.lock file

The following is an example of a Poetry.lock file.

[[package]] name = "flask" version = "1.1.2" description = "A simple framework for building complex web applications." category = "main" optional = false python-versions = ">=3.5" [[package]] name = "requests" version = "2.24.0" description = "Python HTTP for Humans." category = "main" optional = false python-versions = ">=3.5"
Note

This file produces an output that contains a package URL. This URL can be used to specify information about software packages when generating a software bill of materials and can be included in the ScanSbom API. For more information, see package-url on the GitHub Website.

Egg/Wheel

For globally installed Python packages, the Amazon Inspector SBOM Generator supports parsing metadata files found in the .egg-info/PKG-INFO and .dist-info/METADATA directories. These files provide detailed metadata about installed packages.

Key features
  • Extracts package name, and version

  • Supports both egg and wheel formats

Example PKG-INFO/METADATA file

The following is an example of a PKG-INFO/METADATA file.

Metadata-Version: 1.2 Name: Flask Version: 1.1.2 Summary: A simple framework for building complex web applications. Home-page: https://palletsprojects.com/p/flask/
Note

This file produces an output that contains a package URL. This URL can be used to specify information about software packages when generating a software bill of materials and can be included in the ScanSbom API. For more information, see package-url on the GitHub Website.

Ruby dependency scanning

Programming language Package manager Supported artifacts Toolchaing support Development dependencies Transitive dependencies Private flag Recursively
Ruby Bundler

Gemfile.lock

.gemspec

globall installed Gems

N/A

N/A

N/A

N/A

N/A

N/A

Yes

N/A

N/A

N/A

N/A

N/A

Yes

Yes

Yes

Gemfile.lock

The Gemfile.lock file locks exact versions of all dependencies to make sure the same versions are used in every environment.

Key features
  • Parses the Gemfile.lock file to identity dependencies and dependency versions

  • Extracts detailed package names and package versions

Example Gemfile.lock file

The following is an example of a Gemfile.lock file.

GEM remote: https://rubygems.org/ specs: ast (2.4.2) awesome_print (1.9.2) diff-lcs (1.5.0) json (2.6.3) parallel (1.22.1) parser (3.2.2.0) nokogiri (1.16.6-aarch64-linux)
Note

This file produces an output that contains a package URL. This URL can be used to specify information about software packages when generating a software bill of materials and can be included in the ScanSbom API. For more information, see package-url on the GitHub Website.

.gemspec

The .gemspec file is a RubyGem file containing metadata about a gem. The Amazon Inspector SBOM Generator parses this file to collect detailed information about a gem.

Key features
  • Parses and extracts the gem name and gem version

Note

Reference specification is not supported.

Example .gemspec file

The following is an example of a .gemspec file.

Gem::Specification.new do |s| s.name = "generategem" s.version = "2.0.0" s.date = "2020-06-12" s.summary = "generategem" s.description = "A Gemspec Builder" s.email = "edersondeveloper@gmail.com" s.files = ["lib/generategem.rb"] s.homepage = "https://github.com/edersonferreira/generategem" s.license = "MIT" s.executables = ["generategem"] s.add_dependency('colorize', '~> 0.8.1') end
# Not supported Gem::Specification.new do |s| s.name = &class1 s.version = &foo.bar.version
Note

This file produces an output that contains a package URL. This URL can be used to specify information about software packages when generating a software bill of materials and can be included in the ScanSbom API. For more information, see package-url on the GitHub Website.

Globally installed gems

The Amazon Inspector SBOM Generator supports scanning globally installed gems, which are located in standard directories, such as /usr/local/lib/ruby/gems/<ruby_version>/gems/ in Amazon EC2/Amazon ECR and ruby/gems/<ruby_version>/gems/ in Lambda. This makes sure all globally installed dependencies are identified and cataloged.

Key features
  • Identifies and scans all globally installed gems in standard directories

  • Extracts metadata and version information for each globally installed gem

Example directory structure

The following is an example of a directory structure.

. └── /usr/local/lib/ruby/3.5.0/gems/ ├── actrivesupport-6.1.4 ├── concurrent-ruby-1.1.9 └── i18n-1.8.10
Note

This structure produces an output that contains a package URL. This URL can be used to specify information about software packages when generating a software bill of materials and can be included in the ScanSbom API. For more information, see package-url on the GitHub Website.

Rust dependency scanning

Programming language Package manager Supported artifacts Toolchain support Development dependencies Transitive dependencies Private flag Recursively
Rust Cargo.toml

Cargo.toml

Cargo.lock

Rust binary (built with cargo-auditable)

N/A

N/A

Yes

N/A

N/A

N/A

N/A

Yes

N/A

N/A

N/A

N/A

Yes

Yes

Yes

Cargo.toml

The Cargo.toml file is the manifest file for Rust projects.

Key features
  • Parses and extracts the Cargo.toml file to identify the project package name and version.

Example Cargo.toml file

The following is an example of a Cargo.toml file.

[package] name = "wait-timeout" version = "0.2.0" description = "A crate to wait on a child process with a timeout specified across Unix and\nWindows platforms.\n" homepage = "https://github.com/alexcrichton/wait-timeout" documentation = "https://docs.rs/wait-timeout" readme = "README.md" categories = ["os"] license = "MIT/Apache-2.0" repository = "https://github.com/alexcrichton/wait-timeout" [target."cfg(unix)".dependencies.libc] version = "0.2" [badges.appveyor] repository = "alexcrichton/wait-timeout"
Note

This file produces an output that contains a package URL. This URL can be used to specify information about software packages when generating a software bill of materials and can be included in the ScanSbom API. For more information, see package-url on the GitHub Website.

Cargo.lock

The Cargo.lock file locks dependency versions to make sure the same versions are used whenever a project is built.

Key features
  • Parses the Cargo.lock file to identify all dependencies and dependency versions.

Example Cargo.lock file

The following is an example of a Cargo.lock file.

# This file is automatically @generated by Cargo. # It is not intended for manual editing. [[package]] name = "adler32" version = "1.0.3" source = "registry+https://github.com/rust-lang/crates.io-index" [[package]] name = "aho-corasick" version = "0.7.4" source = "registry+https://github.com/rust-lang/crates.io-index"
Note

This file produces an output that contains a package URL. This URL can be used to specify information about software packages when generating a software bill of materials and can be included in the ScanSbom API. For more information, see package-url on the GitHub Website.

Rust binaries with cargo-auditable

The Amazon Inspector SBOM Generator collects dependencies from Rust binaries built with the cargo-auditable library. This provides additional dependency information by enabling dependency extraction from compiled binaries.

Key features
  • Extracts dependency information directly from Rust binaries built with the cargo-auditable library

  • Retrieves metadata and version information for dependencies included in the binaries

Note

This file produces an output that contains a package URL. This URL can be used to specify information about software packages when generating a software bill of materials and can be included in the ScanSbom API. For more information, see package-url on the GitHub Website.

Unsupported artifacts

This section describes unsupported artifacts.

Java

The Amazon Inspector SBOM Generator generator only supports vulnerability detection for dependencies sourced from the mainstream Maven repository. Private or custom Maven repositories, such as Red Hat Maven and Jenkins, aren't supported. For accurate vulnerability detection, make sure Java dependencies are pulled from the mainstream Maven repository. Dependencies from other repositories won't be covered in vulnerability scans.

JavaScript

esbuild bundles

For esbuild minified bundles, the Amazon Inspector SBOM Generator doesn't support dependency scanning for projects using esbuild. Source maps generated by esbuild don't include sufficient metadata(dependency names and versions) required for accurate Sbomgen generation. For reliable results, scan the original project files, such as the node_modules/directory and package-lock.json, prior to the bundling process.

package.json

The Amazon Inspector SBOM Generator doesn't support scanning the root-level package.json file for dependency information. This file only specifies package names and version ranges, but doesn't include fully resolved package versions. For accurate scanning results, use package.json or other lock files, such as yarn.lock and pnpm.lock, that include resolved versions.

Dotnet

When using floating versions or version ranges in PackageReference, it becomes more challenging to determine the exact package version used in a project without performing package resolution. Floating versions and version ranges allow developers to specify a range of acceptable package versions rather than a fixed version.

Go binaries

The Amazon Inspector SBOM Generator doesn't scan Go binaries that are built with build flags configured to exclude the build ID. These build flags prevent Bomerman from accurately mapping the binary to its original source. Unclear Go binaries aren't supported due to the inability to extract package information. For accurate dependency scanning, make sure that Go binaries are built with default settings, including the build ID.

Rust binaries

The Amazon Inspector SBOM Generator only scans Rust binaries if the binaries are built using the cargo-auditable library. Rust binaries not utilizing this library lack necessary metadata for accurate dependency extraction. The Amazon Inspector SBOM Generator extract the compiled Rust toolchain version starting from Rust 1.7.3, but only for binaries in a Linux environment. For comprehensive scanning, build Rust binaries on Linux using cargo-auditable.

Note

Vulnerability detection for the Rust toolchain itself isn't supported, even if the toolchain version is extracted.