The Java+ analyser is triggered when one of the relevant manifest files is found in the root of the project. At this time it supports:

  • Maven : pom.xml

  • Gradle: build.gradle

  • Sbt: build.sbt

  • Ant: build.xml

When using Maven. Gradle or Sbt, the tool will be actually invoked to generate the dependencies tree, as it's the only one who actually knows the components that, at the end of the day, will be really shipped. If you rely solely on the manifest files you will have to replicate what the tool is doing, which is really unreliable. The logic used is frequently just too convoluted, and only if you ask the tool to generate the dependencies tree you will be obtaining the right one. For that reason, your project has to build successfully before using Meterian. If this condition is not met then you won't be able to use this tool, so please make sure the project you want to attack is compiling correctly.

When using Ant, the tool will first try to detect the dependencies using Ivy (if present): this allows the generation of a proper dependency tree. In any other case (or if the ivy approach fails) the tool will revert to a binary file detection strategy from the root of the project using the pattern "**/*.jar". In the report the dependencies will be listed by location.

When using the thin client, the required tools will have to be installed and configured (Maven, Gradle, Sbt, Ant). This is not required when using the dockerized client.

Last updated