The Datadog Dependency Sniffer is a tool designed to scan and analyze the dependencies of a project, identifying the actual location of specific dependencies in order to assist locating vulnerable dependencies discovered by Datadog's SCA. It effectively handles scenarios where dependencies might be shaded or relocated, providing accurate insights into the libraries your project relies on.
- Comprehensive Scanning: Thoroughly scans project dependencies to identify both direct and transitive usage.
- Shading and Relocation Detection: Accounts for shaded and relocated packages to provide more accurate results.
- Customizable Search Criteria: Specify the dependency you want to search for using patterns.
- Cross-Platform Support: Compatible with Windows, macOS, and Linux systems.
- Language support: Current version targets Java/JVM dependencies in Maven and Gradle projects
First ensure that you have the following software installed on your system:
The sniffer is capable of parsing and analyzing dependency tree reports from both Maven and Gradle. It relies on the following environment variables to provide access to your local dependencies:
- M2_HOME (by default
$HOME/.m2) pointing to your local Maven repository. - GRADLE_USER_HOME (by default
$HOME/.gradle) pointing to your local Gradle repository.
You can download the provided script and run it:
curl "https://datadoghq.dev/dd-dependency-sniffer/run.sh" -o run.sh
chmod +x ./run.sh
./run.sh --type [gradle|maven] --artifact $ARTIFACT_ID --package $PACKAGE_NAME $REPORTOr run it directly with:
curl -s "https://datadoghq.dev/dd-dependency-sniffer/run.sh" | bash -s -- --type [gradle|maven] --artifact $ARTIFACT_ID --package $PACKAGE_NAME $REPORTThe options are as follows:
- --type: Specify either
gradleormaven. - Filtering options (pick one):
- --artifact: Artifact ID of the Maven coordinates, e.g.,
slf4j-api. - --package: Package name prefix of the library, e.g.,
org.slf4j.
- --artifact: Artifact ID of the Maven coordinates, e.g.,
- $REPORT: Path of the dependency report provided by either Maven or Gradle.
It is recommended to start searching by the artifact ID and, if this approach is inconclusive, switch to package names for greater accuracy.
Ensure all dependencies are available in your local Maven repository and then execute the Maven dependency plugin report, from your project run:
./mvnw install
./mvnw org.apache.maven.plugins:maven-dependency-plugin:3.8.0:tree -DoutputType=json -DoutputFile=maven.jsonRun the script:
run.sh --type maven --artifact slf4j-api maven.jsonEnsure all dependencies are available in your local Gradle repository and then execute the Gradle dependencies task, from your project run:
./gradlew build
./gradlew -q dependencies > gradle.txtRun the script:
run.sh --type gradle --artifact slf4j-api gradle.txtOnce the script has been run, you will get an output similar to the following:
The artifact with id 'slf4j-api' has been found in 2 dependencies:
1. 'nohttp-cli-0.0.11.jar' has matches in:
- META-INF/maven/org.slf4j/slf4j-api/pom.properties
2. 'slf4j-api-2.0.16.jar' has matches in:
- META-INF/MANIFEST.MF
- META-INF/maven/org.slf4j/slf4j-api/pom.properties
In this case the project had a direct dependency with slf4j-api:2.0.16, but it was also shaded in nohttp-cli:0.0.11