Skip to content

📦 [Feature Request]: Extend Dependency Manifest File Support #17

New issue
New issue
Open
Feature
Open
📦 [Feature Request]: Extend Dependency Manifest File Support#17
Feature
Labels
CommunityenhancementNew feature or requestgood first issueGood for newcomerspluginsvulnera
@Wgoeh

Description

@Wgoeh
Wgoeh
opened on Sep 11, 2025

Currently, the Vulnera dependency scanning plugin supports a limited set of dependency manifest files. We need to extend this support to cover more package managers and languages to make Valkyrie more comprehensive and useful for polyglot projects.

🎯 Goal

Add support for additional dependency manifest files by implementing new parsers in valkyrie.plugins.vulnera.parsers.py.

📋 Currently Supported Files

SUPPORTED_MANIFESTS = {
    # Node.js
    'package.json', 'package-lock.json', 'yarn.lock',
    
    # Python
    'requirements.txt', 'Pipfile', 'Pipfile.lock', 'poetry.lock',
    
    # Java
    'pom.xml', 'gradle.build',
    
    # Rust
    'Cargo.toml', 'Cargo.lock',
    
    # Go
    'go.mod', 'go.sum',
    
    # PHP
    'composer.json', 'composer.lock'
}

🚀 Target Additional Manifest Files

Ruby:

  • Gemfile
  • Gemfile.lock
  • gems.rb

.NET:

  • *.csproj
  • packages.config
  • project.assets.json

Swift:

  • Package.swift
  • Cartfile
  • Cartfile.resolved

Android:

  • build.gradle (Android modules)

Scala:

  • build.sbt

Haskell:

  • *.cabal
  • stack.yaml

Elixir:

  • mix.exs
  • mix.lock

Dart:

  • pubspec.yaml
  • pubspec.lock

Docker:

  • Dockerfile (FROM statements)

🔧 Implementation

  1. Extend the parser registry in valkyrie.plugins.vulnera.parsers.py
  2. Create new parser classes inheriting from BaseDependencyParser
  3. Implement parsing logic for each new manifest format
  4. Add test cases for each new parser

📝 Example Parser Structure

DependencyParser.register()
class PackageJsonParser(BaseDependencyParser):
    """Parser for package.json (Node.js)"""

    @property
    def dep_file(self):
        return "package.json"
    
    def parse(self) -> List[Dependency]:
        content = self._read_file()
        data = json.loads(content)
        
        dependencies = []
        
        # Production
        if 'dependencies' in data:
            for name, version in data['dependencies'].items():
                dependencies.append(Dependency(name, version, dev=False))
        
        # Developement
        if 'devDependencies' in data:
            for name, version in data['devDependencies'].items():
                dependencies.append(Dependency(name, version, dev=True))
        
        return dependencies

✅ Acceptance Criteria

  • Each new parser follows the BaseDependencyParser interface
  • Test cases included for each new parser
  • No regression in existing functionality

🧪 Testing

Add test files in tests/plugins/vulnera/parsers/:

  • Example manifest files for each new format
  • Unit tests for each new parser class
  • Integration tests with the Vulnera scanner

Metadata

Metadata

Assignees

No one assigned

    Labels

    CommunityenhancementNew feature or requestgood first issueGood for newcomerspluginsvulnera

    Type

    Feature

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions