Skip to main content

Dart and Flutter Analysis

Dart and Flutter scanning supports coordinate-based matching of Dart and Flutter packages from the pub package manager pub.dev.

Supported Files

You can scan Dart and Flutter applications using any of the following:

  • Dart and Flutter packages in the form of tar.gz files that contain the license files (mostly under BSD3 license) and src files.

  • The pubspec.yaml file containing your project dependencies (including version constraints for each dependency), environment settings and other metadata.

    Example:

    name: dcat
description: A sample command-line application.
version: 1.0.0
# Some text here

environment:
  sdk: ^3.6.1
dependencies:
  dependency1: 1.0.0
  dependency2: ^2.0.0
  missing-version:

dev_dependencies:
  dev_dependency1: 1.0.0

  • The pubspec.lock file that is automatically generated when you run pub get, containing the exact version of the dependency, including transitive dependencies.

    Example

    # Generated by pub
# See https://dart.dev/tools/pub/glossary#lockfile
packages:
  dependency1:
    dependency: "direct main"
    description:
      name: dependency1
      sha256: "aaf6da266a27a4538a69295ec142cb5717d7d4e5727b84658b63e1e1509bac9c"
      url: "https://pub.dev"
    source: hosted
    version: "1.0.0"
  dependency2:
    dependency: transitive
    description:
      name: dependency2
      sha256: "bbf6da266a27a4538a69295ec142cb5717d7d4e5727b84658b63e1e1509bac9c"
      url: "https://pub.dev"
    source: hosted
    version: "2.0.0"
  dependency3:
    dependency: "direct dev"
    description:
      name: dependency3
      sha256: "ccf6da266a27a4538a69295ec142cb5717d7d4e5727b84658b63e1e1509bac9c"
      url: "https://pub.dev"
    source: hosted
    version: "1.0.0"
  missing-version:
    dependency: "direct main"
    description:
      name: missing-version
      sha256: "ddf6da266a27a4538a69295ec142cb5717d7d4e5727b84658b63e1e1509bac9c"
      url: "https://pub.dev"
    source: hosted

We recommend scanning the pubspec.lock file over pubspec.yaml.

NOTE: The pubspec.yaml is ignored by the scanning process if there is a pubspec.lock in the same directory.

Steps to scan

Invoke a CLI scan of a directory or sub-directories containing the target files.

java -jar [sonatype-cli] -a [username:password] -i [--application-id] -s [--server-url] [scan-target]
java -jar nexus-iq-cli-2.2.0-SNAPSHOT.jar -a admin:admin123 -i TestApp1 -t build -s http://localhost:8070 C:\temp\pubspec.zip

On successful completion of the scan (status - completed), the output will include links to view the scan reports:

[INFO] Policy Action: Warning
[INFO] Summary of policy violations: 4 critical, 85 severe, 46 moderate
[INFO] The detailed report can be viewed online at http://localhost:8070/ui/links/application/TestApp1/report/95c4c14e
[INFO] The application priorities can be viewed online at http://localhost:8070/ui/links/developer/priorities/TestApp1/95c4c14e/cli

The Detailed Report URL - link takes you to the application composition report in Lifecycle.

The Priorities URL - link takes you to the Priorities page in Developer.