Agent-based scan language support matrix
This table identifies the functionality available to each language and package manager that Veracode Software Composition Analysis agents support.
A quick scan does not build the project or a dependency graph. To generate a list of libraries and versions in the project, a quick scan uses the
--quickdirective to read the project's manifest files or package lock files. Alternatively, for some languages, a quick scan compares the hashes of JAR files or DLL files in the project with hashes in the Veracode database.A full scan builds the project and a dependency graph, so you can see which libraries are direct or transitive and can prioritize accordingly. Without the
-–quickdirective, a full scan is the default scan for the SCA agent.A vulnerable method scan is not a separate scan but a standard part of a full scan, provided vulnerable methods are supported for the project's language and package manager. During the build, the agent determines whether a project’s first-party code calls any vulnerable methods in the third-party code.
| Language | Package Manager | Quick Scan (Level 1) | Full Scan (Level 2) | Vulnerable Methods Scan (Level 3) |
|---|---|---|---|---|
| C#/.NET | DLL | X | X | X |
| C#/.NET | NuGet | X | X | X |
| C/C++ | Make | X | ||
| Go | Dep | X | X | |
| Go | Glide | X | X | |
| Go | go get | X | ||
| Go | Go modules | X | X | |
| Go | GoDep | X | X | |
| Go | GoVendor | X | X | |
| Go | Trash | X | X | |
| Java | Ant | X | X | |
| Java | Gradle | X | X | |
| Java | Jars | X | X | X |
| Java | Maven | X | X | |
| JavaScript | Bower | X | X | |
| JavaScript | NPM | X | X | X |
| JavaScript | Yarn | X | X | X |
| Kotlin | Gradle | X | X | |
| Kotlin | Jars | X | X | X |
| Kotlin | Maven | X | X | |
| Objective-C | CocoaPods | X | X | |
| PHP | Composer | X | X | |
| Python | pip | X | X | |
| Python | Pipenv | X | X | X |
| Ruby | Bundler | X | X | X |
| Scala | Jars | X | X | X |
| Scala | SBT | X | ||
| Swift | CocoaPods | X | X |