From b49d00b2b8591d173e9ce985df6e23134a90187b Mon Sep 17 00:00:00 2001 From: Antoine Broyelle Date: Fri, 10 Jan 2025 21:21:32 +0100 Subject: [PATCH 1/2] Update list of files used to scan dependencies from Based on https://github.com/semgrep/semgrep/blob/bb961637ab2eb743fb92a6c5d6207fa2c9dcf757/cli/src/semdep/subproject_matchers.py#L16 --- .../experiments/project-depends-on.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/docs/writing-rules/experiments/project-depends-on.md b/docs/writing-rules/experiments/project-depends-on.md index 57876d743..717bc7639 100644 --- a/docs/writing-rules/experiments/project-depends-on.md +++ b/docs/writing-rules/experiments/project-depends-on.md @@ -70,14 +70,14 @@ A finding is only considered reachable if the file containing the pattern match ## r2c-internal-project-depends-on language support -| Language | Namespace | Scans dependencies from | -|:---------- |:-----------|:---------------------------------| -| Python | pypi | `Pipfile.lock` | -| JavaScript | npm | `yarn.lock`, `package-lock.json` | -| Java | maven | `pom.xml` | -| Go | gomod | `go.mod` | -| Ruby | gem | `Gemfile.lock` | -| Rust | cargo | `cargo.lock` | +| Language | Namespace | Scans dependencies from | +|:---------- |:-----------|:---------------------------------------------------| +| Python | pypi | `Pipfile.lock`, `poetry.lock`, `uv.lock` | +| JavaScript | npm | `yarn.lock`, `package-lock.json`, `pnpm-lock.yaml` | +| Java | maven | `pom.xml` | +| Go | gomod | `go.mod` | +| Ruby | gem | `Gemfile.lock` | +| Rust | cargo | `Cargo.lock` | ## Limitations From bcc87a7be065ca33607dfb7fe1c9842ae0812a27 Mon Sep 17 00:00:00 2001 From: Katie Horne Date: Fri, 17 Jan 2025 08:57:28 -0600 Subject: [PATCH 2/2] add add'l lang info --- .../experiments/project-depends-on.md | 21 ++++++++++++------- 1 file changed, 13 insertions(+), 8 deletions(-) diff --git a/docs/writing-rules/experiments/project-depends-on.md b/docs/writing-rules/experiments/project-depends-on.md index 717bc7639..3a928e65c 100644 --- a/docs/writing-rules/experiments/project-depends-on.md +++ b/docs/writing-rules/experiments/project-depends-on.md @@ -70,14 +70,19 @@ A finding is only considered reachable if the file containing the pattern match ## r2c-internal-project-depends-on language support -| Language | Namespace | Scans dependencies from | -|:---------- |:-----------|:---------------------------------------------------| -| Python | pypi | `Pipfile.lock`, `poetry.lock`, `uv.lock` | -| JavaScript | npm | `yarn.lock`, `package-lock.json`, `pnpm-lock.yaml` | -| Java | maven | `pom.xml` | -| Go | gomod | `go.mod` | -| Ruby | gem | `Gemfile.lock` | -| Rust | cargo | `Cargo.lock` | +| Language | Namespace | Scans dependencies from | +|:---------- |:-----------|:--------------------------------------------------------------| +| C# | nuget | `packages.lock.json` | +| Dart | pub | `pubspec.lock` | +| Elixir | hex | `mix.lock` | +| Go | gomod | `go.mod` | +| Java | maven | `pom.xml` | +| JavaScript | npm | `yarn.lock`, `package-lock.json`, `pnpm-lock.yaml` | +| PHP | composer | `composer.lock` | +| Python | pypi | `*requirement*.txt`, `Pipfile.lock`, `poetry.lock`, `uv.lock` | +| Ruby | gem | `Gemfile.lock` | +| Rust | cargo | `Cargo.lock` | +| Swift | swiftpm | package.swift | ## Limitations