Dart and Flutter Analysis
Dart and Flutter scanning supports coordinate-based matching of Dart and Flutter packages from the pub package manager pub.dev.
Supported Files
You can scan Dart and Flutter applications using any of the following:
Dart and Flutter packages in the form of
tar.gz
files that contain the license files (mostly under BSD3 license) and src files.The
pubspec.yaml
file containing your project dependencies (including version constraints for each dependency), environment settings and other metadata.Example:
name: dcat description: A sample command-line application. version: 1.0.0 # Some text here environment: sdk: ^3.6.1 dependencies: dependency1: 1.0.0 dependency2: ^2.0.0 missing-version: dev_dependencies: dev_dependency1: 1.0.0
The
pubspec.lock
file that is automatically generated when you runpub get
, containing the exact version of the dependency, including transitive dependencies.Example
# Generated by pub # See https://dart.dev/tools/pub/glossary#lockfile packages: dependency1: dependency: "direct main" description: name: dependency1 sha256: "aaf6da266a27a4538a69295ec142cb5717d7d4e5727b84658b63e1e1509bac9c" url: "https://pub.dev" source: hosted version: "1.0.0" dependency2: dependency: transitive description: name: dependency2 sha256: "bbf6da266a27a4538a69295ec142cb5717d7d4e5727b84658b63e1e1509bac9c" url: "https://pub.dev" source: hosted version: "2.0.0" dependency3: dependency: "direct dev" description: name: dependency3 sha256: "ccf6da266a27a4538a69295ec142cb5717d7d4e5727b84658b63e1e1509bac9c" url: "https://pub.dev" source: hosted version: "1.0.0" missing-version: dependency: "direct main" description: name: missing-version sha256: "ddf6da266a27a4538a69295ec142cb5717d7d4e5727b84658b63e1e1509bac9c" url: "https://pub.dev" source: hosted
We recommend scanning the pubspec.lock
file over pubspec.yaml
.
NOTE: The pubspec.yaml
is ignored by the scanning process if there is a pubspec.lock
in the same directory.
Steps to scan
Invoke a CLI scan of a directory or sub-directories containing the target files.
java -jar [sonatype-cli] -a [username:password] -i [--application-id] -s [--server-url] [scan-target]
java -jar nexus-iq-cli-2.2.0-SNAPSHOT.jar -a admin:admin123 -i TestApp1 -t build -s http://localhost:8070 C:\temp\pubspec.zip
On successful completion of the scan (status - completed), the output will include links to view the scan reports:
[INFO] Policy Action: Warning [INFO] Summary of policy violations: 4 critical, 85 severe, 46 moderate [INFO] The detailed report can be viewed online at http://localhost:8070/ui/links/application/TestApp1/report/95c4c14e [INFO] The application priorities can be viewed online at http://localhost:8070/ui/links/developer/priorities/TestApp1/95c4c14e/cli
The Detailed Report URL - link takes you to the application composition report in Lifecycle.
The Priorities URL - link takes you to the Priorities page in Developer.