Skip to main content

Dart and Flutter Analysis

Dart and Flutter scanning supports coordinate-based matching of Dart and Flutter packages from the pub package manager pub.dev.

Supported Files

You can scan Dart and Flutter applications using any of the following:

  • Dart and Flutter packages in the form of tar.gz files that contain the license files (mostly under BSD3 license) and src files.

  • The pubspec.yaml file containing your project dependencies (including version constraints for each dependency), environment settings and other metadata.

    Example:

    name: dcat
    description: A sample command-line application.
    version: 1.0.0
    # Some text here
    
    environment:
      sdk: ^3.6.1
    dependencies:
      dependency1: 1.0.0
      dependency2: ^2.0.0
      missing-version:
    
    dev_dependencies:
      dev_dependency1: 1.0.0
  • The pubspec.lock file that is automatically generated when you run pub get, containing the exact version of the dependency, including transitive dependencies.

    Example

    # Generated by pub
    # See https://dart.dev/tools/pub/glossary#lockfile
    packages:
      dependency1:
        dependency: "direct main"
        description:
          name: dependency1
          sha256: "aaf6da266a27a4538a69295ec142cb5717d7d4e5727b84658b63e1e1509bac9c"
          url: "https://pub.dev"
        source: hosted
        version: "1.0.0"
      dependency2:
        dependency: transitive
        description:
          name: dependency2
          sha256: "bbf6da266a27a4538a69295ec142cb5717d7d4e5727b84658b63e1e1509bac9c"
          url: "https://pub.dev"
        source: hosted
        version: "2.0.0"
      dependency3:
        dependency: "direct dev"
        description:
          name: dependency3
          sha256: "ccf6da266a27a4538a69295ec142cb5717d7d4e5727b84658b63e1e1509bac9c"
          url: "https://pub.dev"
        source: hosted
        version: "1.0.0"
      missing-version:
        dependency: "direct main"
        description:
          name: missing-version
          sha256: "ddf6da266a27a4538a69295ec142cb5717d7d4e5727b84658b63e1e1509bac9c"
          url: "https://pub.dev"
        source: hosted

We recommend scanning the pubspec.lock file over pubspec.yaml.

NOTE: The pubspec.yaml is ignored by the scanning process if there is a pubspec.lock in the same directory.

Steps to scan

Invoke a CLI scan of a directory or sub-directories containing the target files.

java -jar [sonatype-cli] -a [username:password] -i [--application-id] -s [--server-url] [scan-target]
java -jar nexus-iq-cli-2.2.0-SNAPSHOT.jar -a admin:admin123 -i TestApp1 -t build -s http://localhost:8070 C:\temp\pubspec.zip

On successful completion of the scan (status - completed), the output will include links to view the scan reports:

[INFO] Policy Action: Warning
[INFO] Summary of policy violations: 4 critical, 85 severe, 46 moderate
[INFO] The detailed report can be viewed online at http://localhost:8070/ui/links/application/TestApp1/report/95c4c14e
[INFO] The application priorities can be viewed online at http://localhost:8070/ui/links/developer/priorities/TestApp1/95c4c14e/cli

The Detailed Report URL - link takes you to the application composition report in Lifecycle.

The Priorities URL - link takes you to the Priorities page in Developer.