How to generate lockfiles from manifests

Lockfiles provide detailed information about the specific versions and transitive dependencies in use by your project. However, not all projects or ecosystems will have a lockfile automatically generated. This article walks through how to generate a lockfile for each listed ecosystem. These lockfiles can then be used to get a bill of materials for your project. 

  • Python
  • JavaScript / Node
  • Ruby
  • Java
  • GoLang
  • Rust

Below are instructions on how to generate lockfiles in a few common ecosystems.


Python

First, you should install python.

On a Mac system, use Homebrew:

brew install python3

On a Linux system, use the system package manager such as apt or dnf.

sudo apt install python3 python3-dev python3-pip

Next, create a folder to work in, change into that directory. Copy your manifest into this folder. Create a virtual environment and source it so you don’t mess up your machine-global packages

mkdir temp-project 

cd temp-project 

cp ~/Downloads/requirements.txt ./ 

python3 -m venv env 

source env/bin/activate

You should now see (env) at the beginning of your command line, noting that you are now inside the virtual environment. Now, install Pipenv and wheel, which will let you turn the manifest into a lockfile. Finally, run Pipenv to generate said lockfile.

pip3 install wheel pipenv 

pip3 install -r requirements.txt 

pipenv install

Now upload the requirements.txt and Pipfile.lock to their portal.


JavaScript / Node

First, you should install Node and the Node package manager (npm).

On a Mac system, use Homebrew:

brew install node yarn

On a Linux system, use the system package manager such as apt or dnf.

sudo apt install nodejs yarn

Next, create a folder to work in, change into that directory. Copy the manifest into this folder.

mkdir temp-project 

cd temp-project 

cp ~/Downloads/package.json ./

Check to see if yarn is working correctly.

yarn --version

If Yarn is not found in your PATH, add yarn’s path to your ~/.zshrc profile:

export PATH="$HOME/.yarn/bin:$PATH"

Install the transitive dependencies and generate the yarn.lock file.

yarn install

Now upload the package.json and yarn.lock to their portal.


Ruby

First install the Ruby Environment Manager (rbenv) via homebrew (Mac).

brew install rbenv

Linux takes a few more steps:

git clone https://github.com/rbenv/rbenv.git ~/.rbenv 

echo 'export PATH="$HOME/.rbenv/bin:$PATH"' >> ~/.zshrc 

echo 'eval "$(rbenv init -)"' >> ~/.bashrc 

source ~/.bashrc

Verify rbenv is working properly.

rbenv --version

Now, we can install a version of Ruby. I choose 2.6.4, but you can see them all by using rbenv install -l

rbenv install 2.6.4 

rbenv global 2.6.4 

ruby -v

Now, let’s turn off documentation generation for Gems, which will save a lot of time when installing the Gems.

echo "gem: --no-document" > ~/.gemrc

Install the Bundler Gem, which is used heavily in dependency management.

gem install bundler

Next, create a folder to work in, change into that directory. Copy the manifest into this folder.

mkdir temp-project 

cd temp-project 

cp ~/Downloads/Gemfile ./

Generate the lockfile with Bundler.

bundle lock

Now upload the Gemfile and Gemfile.lock to their portal.


Java

First install the Java Development Kit [JDK] (NOT the Runtime Environment [JRE]).

On Mac, use Homebrew to install the JDK and Gradle:

brew install java gradle

Linux takes a few more steps:

sudo apt install default-jdk 

curl -s "https://get.sdkman.io" | bash 

sdk install gradle

Verify gradle and java are working properly.

java -version 

gradle -version

Next, create a folder to work in, change into that directory. Copy the manifest into this folder.

mkdir temp-project 

cd temp-project 

cp ~/Downloads/pom.xml ./

Initialize a gradle project, it should ask you “Found a Maven build. Generate a Gradle build from this? (default: yes) [yes, no]”, type “yes”.

gradle init

Generate the lock file by exporting the output of gradle dependencies.

gradle dependencies -q > gradle-dependencies-q.txt

Now upload the pom.xml and gradle-dependencies-q.txt to their portal.


GoLang

First install Go.

On Mac, use Homebrew:

brew install go

Linux has a few more steps. Download a version > 1.13 from https://golang.org/dl/. Then extract and add your go project path and environment variables:

sudo tar -C /usr/local -xzf go1.13.1.linux-amd64.tar.gz 

echo 'export PATH=$PATH:/usr/local/go/bin' >> ~/.zshrc 

source ~/.zshrc

Make sure go works.

go version

Next, create a folder to work in (must be in your Go directory), change into that directory. Copy the manifest into this folder.

mkdir ~/go/src/temp-project 

cd ~/go/src/temp-project 

cp ~/Downloads/go.mod ./

You’ll have to create a simple program and save it as “main.go”:

package main 

import "fmt" 

func main() { 

	fmt.Println("Success!")

}

Now you can run the program (which will also build it):

go run main.go

Now your direct dependencies are still in “go.mod”, but you should see direct+transitive in “go.sum”.

To print out a CSV of all the deps (path, version, transitive?):

go list -m -f="{{.Path}},{{.Version}},{{.Indirect}}" -u all

Note: Go will auto-include any imported packages from “main.go” into “go.mod”. This simple program didn’t have any imports, but note that Go kept the existing packages in the “go.mod” that you saved (this is an intentional policy of Go Modules not to remove anything from “go.mod”).


Rust

First install rustup, the Rust toolchain installer. This will install and configure Rust and Cargo for you.

curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
Verify the Rust compiler and Cargo are working properly.
rustc --version

cargo --version
Next, create a folder to work in, change into that directory. Copy your Cargo.toml into this folder.
mkdir temp-project

cd temp-project

cp ~/Downloads/Cargo.toml .

cargo generate-lockfile
	
Now upload your Cargo.toml and Cargo.lock to their portal.

Questions? Reach out to our support team

Was this article helpful?
0 out of 0 found this helpful

Articles in this section