Lockfiles provide detailed information about the specific versions and transitive dependencies in use by your project. However, not all projects or ecosystems will have a lockfile automatically generated. This article walks through how to generate a lockfile for each listed ecosystem. These lockfiles can then be used to get a bill of materials for your project.
- Python
- JavaScript / Node
- Ruby
- Java
- GoLang
- Rust
Below are instructions on how to generate lockfiles in a few common ecosystems.
Python
First, you should install python.
On a Mac system, use Homebrew:
brew install python3
On a Linux system, use the system package manager such as apt or dnf.
sudo apt install python3 python3-dev python3-pip
Next, create a folder to work in, change into that directory. Copy your manifest into this folder. Create a virtual environment and source it so you don’t mess up your machine-global packages
mkdir temp-project cd temp-project cp ~/Downloads/requirements.txt ./ python3 -m venv env source env/bin/activate
You should now see (env) at the beginning of your command line, noting that you are now inside the virtual environment. Now, install Pipenv and wheel, which will let you turn the manifest into a lockfile. Finally, run Pipenv to generate said lockfile.
pip3 install wheel pipenv pip3 install -r requirements.txt pipenv install
Now upload the requirements.txt and Pipfile.lock to their portal.
JavaScript / Node
First, you should install Node and the Node package manager (npm).
On a Mac system, use Homebrew:
brew install node yarn
On a Linux system, use the system package manager such as apt or dnf.
sudo apt install nodejs yarn
Next, create a folder to work in, change into that directory. Copy the manifest into this folder.
mkdir temp-project cd temp-project cp ~/Downloads/package.json ./
Check to see if yarn is working correctly.
yarn --version
If Yarn is not found in your PATH, add yarn’s path to your ~/.zshrc profile:
export PATH="$HOME/.yarn/bin:$PATH"
Install the transitive dependencies and generate the yarn.lock file.
yarn install
Now upload the package.json and yarn.lock to their portal.
Ruby
First install the Ruby Environment Manager (rbenv) via homebrew (Mac).
brew install rbenv
Linux takes a few more steps:
git clone https://github.com/rbenv/rbenv.git ~/.rbenv echo 'export PATH="$HOME/.rbenv/bin:$PATH"' >> ~/.zshrc echo 'eval "$(rbenv init -)"' >> ~/.bashrc source ~/.bashrc
Verify rbenv is working properly.
rbenv --version
Now, we can install a version of Ruby. I choose 2.6.4, but you can see them all by using rbenv install -l
rbenv install 2.6.4 rbenv global 2.6.4 ruby -v
Now, let’s turn off documentation generation for Gems, which will save a lot of time when installing the Gems.
echo "gem: --no-document" > ~/.gemrc
Install the Bundler Gem, which is used heavily in dependency management.
gem install bundler
Next, create a folder to work in, change into that directory. Copy the manifest into this folder.
mkdir temp-project cd temp-project cp ~/Downloads/Gemfile ./
Generate the lockfile with Bundler.
bundle lock
Now upload the Gemfile and Gemfile.lock to their portal.
Java
First install the Java Development Kit [JDK] (NOT the Runtime Environment [JRE]).
On Mac, use Homebrew to install the JDK and Gradle:
brew install java gradle
Linux takes a few more steps:
sudo apt install default-jdk curl -s "https://get.sdkman.io" | bash sdk install gradle
Verify gradle and java are working properly.
java -version gradle -version
Next, create a folder to work in, change into that directory. Copy the manifest into this folder.
mkdir temp-project cd temp-project cp ~/Downloads/pom.xml ./
Initialize a gradle project, it should ask you “Found a Maven build. Generate a Gradle build from this? (default: yes) [yes, no]”, type “yes”.
gradle init
Generate the lock file by exporting the output of gradle dependencies.
gradle dependencies -q > gradle-dependencies-q.txt
Now upload the pom.xml and gradle-dependencies-q.txt to their portal.
GoLang
First install Go.
On Mac, use Homebrew:
brew install go
Linux has a few more steps. Download a version > 1.13 from https://golang.org/dl/. Then extract and add your go project path and environment variables:
sudo tar -C /usr/local -xzf go1.13.1.linux-amd64.tar.gz echo 'export PATH=$PATH:/usr/local/go/bin' >> ~/.zshrc source ~/.zshrc
Make sure go works.
go version
Next, create a folder to work in (must be in your Go directory), change into that directory. Copy the manifest into this folder.
mkdir ~/go/src/temp-project cd ~/go/src/temp-project cp ~/Downloads/go.mod ./
You’ll have to create a simple program and save it as “main.go”:
package main import "fmt" func main() { fmt.Println("Success!") }
Now you can run the program (which will also build it):
go run main.go
Now your direct dependencies are still in “go.mod”, but you should see direct+transitive in “go.sum”.
To print out a CSV of all the deps (path, version, transitive?):
go list -m -f="{{.Path}},{{.Version}},{{.Indirect}}" -u all
Note: Go will auto-include any imported packages from “main.go” into “go.mod”. This simple program didn’t have any imports, but note that Go kept the existing packages in the “go.mod” that you saved (this is an intentional policy of Go Modules not to remove anything from “go.mod”).
Rust
First install rustup, the Rust toolchain installer. This will install and configure Rust and Cargo for you.
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
rustc --version cargo --version
mkdir temp-project cd temp-project cp ~/Downloads/Cargo.toml . cargo generate-lockfile
Questions? Reach out to our support team!