When developing in nim, nimble is used to manage dependencies.
| Strategy | Direct Deps | Transitive Deps | Edges | Classifies Dev Dependencies | Container Scanning |
|---|---|---|---|---|---|
nimble.lock and nimble dump |
✅ | ✅ | ✅ | ❌ | ❌ |
| nimble.lock | ✅ | ✅ | ❌ | ✅ |
Find a file named nimble.lock.
- Parse
nimble.lockto identify dependencies and edges among them. - Perform
nimble dump --jsonto identify direct dependencies.
Limitation:
- Dependencies downloaded from mercurial are not reported.
- When
nimble dump --jsonfails, any dependencies without incoming edge is considered to be a direct dependency
- Execute
nimble initto create a new project or createnim.nimblemanually:
Example nim.nimble:
# Package
version = "0.1.0"
author = "User"
description = "A new awesome nimble package"
license = "MIT"
srcDir = "src"
installExt = @["nim"]
bin = @["nim"]
# Dependencies
requires "nim >= 1.6.0"
requires "jester >= 0.4.1 & < 0.5.0"- Execute
nimble lockto install and pin dependencies - this will create (or modify) thenimble.lockfile. - Execute
fossa analyze -oon the project to print analyzed dependency graphing (this will not upload any analysis to any endpoint)
If you are using an on older version of Nim, you may need to do following: Perform:
choosenim 1.6.0Perform:nimble install https://github.com/nim-lang/nimble@\#head(get latest nimble or any version after lock file support!)
You can explicitly specify an analysis target in .fossa.yml file. The example below will exclude all analysis targets except for the composer.
# .fossa.yml
version: 3
targets:
only:
- type: nimble