sbt Analysis
While the other analysis strategies for gradle and maven offer some scala project coverage, scala projects overwhelmingly use the build tool sbt.
Overview
While the other analysis strategies for gradle and maven offer some scala project coverage, scala projects overwhelmingly use the build tool sbt.
| Tactics | Direct Deps | Transitive Deps | Edges | Container Scanning |
|---|---|---|---|---|
sbt dependencyBrowseTreeHTML | ✅ | ✅ | ✅ | ❌ |
sbt dependencyTree | ✅ | ✅ | ✅ | ❌ |
sbt makePom | ✅ | ❌ | ❌ | ❌ |
Requirements
sbtexecutable in PATH- Project can be compiled with
sbt compileor equivalent - sbt-dependency-graph plugin is accessible
Project Discovery
Directories that contain build.sbt files are treated as sbt project entry points.
After finding an sbt entry point, FOSSA CLI then runs sbt --no-colors --batch makePom to infer the target to scan.
Each target listed by the entrypoint is a different target scanned by FOSSA.
Analysis
- Run
sbt makePomto generate pom files
sbt dependencyTree
- From the generated pom file, identify the project name via the
<name>attribute. - Perform
sbt $project/dependencyTreeand parse its output to create a dependency graph
For this approach, you will need to ensure dependencyTree task is accessible. To do so, please use sbt-dependency-graph plugin.
Limitations
- This tactic does not support multi-project builds due an inconsistent reporting defect in sbt
- This tactic requires that project is using sbt-dependency-graph plugin.
- Since
sbt dependencyTreecommand's output does not include a version classifier, consequently, version classifiers are ignored.
sbt dependencyBrowseTreeHTML
- Run
sbt dependencyBrowseTreeHTML - From the generated
tree.htmlfile, find the correspondingtree.jsonfile - Find the corresponding pom file generated via (step 1 of the analysis)
- Parse
tree.jsonto create a dependency graph
For this approach, you will need to ensure the dependencyBrowseTreeHTML task is accessible. To do so, please use sbt-dependency-graph plugin.
Limitations
- This tactic requires that project is using sbt-dependency-graph plugin.
- Since the
sbt dependencyBrowseTreeHTMLcommand's output does not include a version classifier, consequently, version classifiers are ignored.
sbt makePom
- From generated pom.xml, use the maven strategy to "link together" related poms into projects and extract a dependency graph
FAQ
How do I only analyze scala projects?
You can explicitly specify analyses target in .fossa.yml file. The example below will exclude all analysis targets except scala.
# .fossa.yml version: 3targets: only: - type: scalaHow do I use sbt-dependency-graph plugin?
To identify deep dependencies and edges among them, FOSSA CLI requires use of the following tasks:
dependencyBrowseTreeHTML(for multi-project builds)dependencyTree
To add the sbt-dependency-graph plugin only to a single project, put this line into project/plugins.sbt of your project:
With sbt 1.4.0+:
addDependencyTreePluginRefer to sbt: https://www.scala-sbt.org/1.x/docs/sbt-1.4-Release-Notes.html#sbt-dependency-graph+is+in-sourced
With sbt < 1.4:
addSbtPlugin("net.virtual-void" % "sbt-dependency-graph" % "0.10.0-RC1")Plugins can be installed for all your projects at once by declaring them in $HOME/.sbt/$VERSION/plugins/. $HOME/.sbt/$VERSION/plugins/ is an sbt project whose classpath is exported to all sbt build definition projects.
Why does fossa-cli use sbt dependencyBrowseTreeHTML command?
dependencyBrowseTreeHTML command generates a dependency graph in JSON format per each project in sbt build. Unlike dependencyBrowseTree command, it does not open a browser once command is successfully ran. It produces a graph in a format that is easy to parse and diagnose.
Does FOSSA CLI include standard library as a dependency?
Yes