Open Source Vulnerability Analysis

The Lift Open Source Vulnerability Analyzer provides insights on vulnerabilities found in dependencies used throughout your application. Vulnerable dependencies are highlighted within each pull request, helping you focus on changes at the time of implementation.

For more on the languages and systems Lift analyzes, see below and the language specific subpages. For more on analyzing the dependencies of your repository, see Dependency View.

The Open Source Vulnerability Analyzer is not available on-prem (see Nexus Lifecycle for on-prem SCA analysis).

Available Ecosystems

LanguageBuild systemScan file requiredManifest scanningTransitive dependencies1Transitive dependency highlighting2Notes
Gradlebuild.gradle, build.gradle.kts(tick)3(tick)(tick)Modules of a multi-module project are scanned individually, therefore vulnerabilities are only highlighted at the module level.
GolangGo modulesgo.mod(tick)(tick)
All transitive dependencies are scanned but currently highlighting the responsible direct dependency is not enabled.
All dependencies listed will be scanned and may include development and platform dependencies.

1 - The ecosystem has the capability to scan all direct and transitive dependencies for the project.

2 - Items with this column checked identify in the manifest the specific line that brings in the problem dependency. Without this, Lift only knows a dependency is present and not any details about its location. Thus, Lift will report these findings but not against the root dependency.

3 - These build systems have "Advanced Manifest scanning". When scanned by Lift, a build is performed allowing Lift to generate and analyze a full dependency tree.

4 - Lift requires these to be committed to your repository.  These are representations of the full tree and will allow Lift to analyze Transitive dependencies.

Unless stated otherwise, development dependencies (such as dependencies listed under 'devDependencies' for npm) are not included as part of the scan.