SBOM Manager

Appearance

Step 3: Packages

Wizard Packages

The Packages step enables automatic detection and import of declared dependencies from package manager manifest files.

Available Package Scanners

CAST SBOM Manager supports the following package managers:

Maven (Java)

Gradle (Java)

  • Default file: gradle.lockfile (fallback: build.gradle)
  • Detects: Direct and transitive dependencies (lock file) or direct dependencies only (fallback)
  • Includes: All configurations
  • Learn more about Gradle scanning

NPM (JavaScript/TypeScript)

  • Default file: package-lock.json (fallback: package.json)
  • Detects: Direct and transitive dependencies (lock file) or direct dependencies only (fallback)
  • Includes: Production dependencies
  • Learn more about npm scanning

Yarn (JavaScript/TypeScript)

  • Default file: yarn.lock (fallback: package.json)
  • Detects: Direct and transitive dependencies (lock file) or direct dependencies only (fallback)
  • Includes: All resolved dependencies
  • Learn more about Yarn scanning

pip (Python)

Pipenv (Python)

  • Default file: Pipfile.lock
  • Detects: Direct and transitive dependencies
  • Includes: Production dependencies (default section only)
  • Note: Standalone Pipfile is not supported, only the lock file
  • Learn more about Pipfile.lock scanning

Poetry (Python)

uv (Python)

Composer (PHP)

Bundler (Ruby)

  • Default file: Gemfile.lock (fallback: Gemfile)
  • Detects: Direct and transitive dependencies (lock file) or direct dependencies only (fallback)
  • Includes: All gem groups
  • Learn more about Bundler scanning

Cargo (Rust)

NuGet (.NET)

Adding Package Scanners

To add a package scanner:

  1. Select programming language - Choose the language from the dropdown (Java, JavaScript, Python, etc.)
  2. Select package manager - Choose the specific package manager for that language
  3. Location (Optional) - Specify the path to the manifest file relative to project root
    • Leave empty to use the default file location
    • Examples: /pom.xml, /backend/package-lock.json, /requirements.txt
  4. Add - Click the "Add" button to add the scanner to your configuration

Repeat this process for each package manager you want to include.

Multiple Package Managers

You can add multiple package managers to scan different parts of your project:

  • Single-module projects: Add one package manager for the main manifest file
  • Multi-module projects: Add multiple scanners for the same package manager with different paths
    • Example: Java project with backend/pom.xml and frontend-java/pom.xml
    • Example: Python project with api/requirements.txt and worker/requirements.txt
  • Multi-language projects: Add different package managers for different languages
  • Monorepos: Add package managers for each module or service, mixing languages as needed
  • Custom paths: Specify exact manifest file locations for nested or non-standard project structures

How Package Scanners Work

  1. SBOM Manager searches the imported source for package manifest files
  2. Manifest files are parsed to extract declared dependencies
  3. Dependencies are added as components in your SBOM
  4. Initial component status is set to Undefined
  5. Component details can be enriched later using the Knowledge Base

WARNING

Package scanners only detect declared dependencies from manifest files. They do not detect:

  • Copy-pasted code from open source projects
  • Manually included libraries not in manifest files

Use the Scanners step (next) to detect undeclared open source components.

Click Next to proceed to file scanner configuration.

Copyright © 2025 CAST SOFTWARE.