Open Source Vulnerability Analysis
The Lift Open Source Vulnerability Analyzer provides insights on vulnerabilities found in dependencies used throughout your application. Vulnerable dependencies are highlighted within each pull request, helping you focus on changes at the time of implementation.
For more on the languages and systems Lift analyzes, see below and the language specific subpages. For more on analyzing the dependencies of your repository, see Dependency View.
Available Ecosystems
| Language | Build system | Scan file required | Manifest scanning | Transitive dependencies1 | Transitive dependency highlighting2 | Notes |
|---|---|---|---|---|---|---|
| Java | Maven | pom.xml |  3 | | | |
| Gradle | build.gradle, build.gradle.kts | 3 | | | Modules of a multi-module project are scanned individually, therefore vulnerabilities are only highlighted at the module level. | |
| Javascript | npm | package-lock.json4 | | | | |
| Yarn | yarn.lock4 | | | | ||
| Golang | Go modules | go.mod | | | All transitive dependencies are scanned but currently highlighting the responsible direct dependency is not enabled. | |
| Python | Python | requirements.txt4 | | | All dependencies listed will be scanned and may include development and platform dependencies. | |
| Rust | Cargo | Cargo.lock4 | | | |
1 - The ecosystem has the capability to scan all direct and transitive dependencies for the project.
2 - Items with this column checked identify in the manifest the specific line that brings in the problem dependency. Without this, Lift only knows a dependency is present and not any details about its location. Thus, Lift will report these findings but not against the root dependency.
3 - These build systems have "Advanced Manifest scanning". When scanned by Lift, a build is performed allowing Lift to generate and analyze a full dependency tree.
4 - Lift requires these to be committed to your repository. These are representations of the full tree and will allow Lift to analyze Transitive dependencies.
Unless stated otherwise, development dependencies (such as dependencies listed under 'devDependencies' for npm) are not included as part of the scan.