Supported Ecosystems
Radar's SCA engine supports all major package ecosystems. It automatically detects which package managers are present in your repository, parses manifest and lock files, builds a complete dependency tree, and cross-references every package version against vulnerability databases, all in a single scan pass.
No configuration is required. If your repository contains multiple ecosystems (for example, a Node.js frontend with a Java backend), all dependency trees are analyzed together.
Ecosystem Reference
| Ecosystem | Manifests | Lock Files | Registry |
|---|---|---|---|
| npm (JS/TS) | package.json | package-lock.json, yarn.lock, pnpm-lock.yaml | npmjs.com |
| NuGet (.NET) | *.csproj, packages.config, Directory.Packages.props | packages.lock.json | nuget.org |
| Maven (Java) | pom.xml | None (deterministic resolution) | Maven Central |
| Gradle (Java/Kotlin/Android) | build.gradle, build.gradle.kts | gradle.lockfile | Maven Central, Google Maven |
| pip (Python) | requirements.txt, setup.py, setup.cfg, pyproject.toml | Pipfile.lock, poetry.lock | PyPI |
| Composer (PHP) | composer.json | composer.lock | Packagist |
| Go Modules | go.mod | go.sum | proxy.golang.org |
| RubyGems | Gemfile | Gemfile.lock | rubygems.org |
Lock Files Matter
When a lock file is present, Radar uses it for exact version resolution. Without a lock file, Radar resolves from manifest declarations, which may not exactly match your installed versions. For the most accurate results, commit your lock files to the repository.
Dependency Scopes
Radar analyzes all dependency categories by default, including development dependencies. Build-time vulnerabilities can affect supply chain security, so they are included in scans.
| Ecosystem | Scopes Analyzed |
|---|---|
| npm | dependencies, devDependencies, peerDependencies, optionalDependencies |
| NuGet | PackageReference (modern), packages.config (legacy), Central Package Management, framework-specific dependencies |
| Maven | compile, runtime, provided scopes, dependency management sections, parent POM inheritance |
| Gradle | implementation, api, compileOnly, runtimeOnly |
| pip | Pinned versions, version ranges, extras (package[security]), environment markers |
| Composer | require, require-dev, platform requirements |
| Go Modules | Direct and indirect (// indirect) dependencies, replace and exclude directives |
| RubyGems | Runtime dependencies, :development group, platform-specific gems |
Ecosystem Notes
npm
Transitive dependency trees in npm projects can reach hundreds of packages. npm's flat dependency resolution (since v3) hoists transitive packages to the top level, making it harder to manually track which direct dependency introduced a vulnerability. Radar traces the full dependency path for each finding. Monorepo setups (npm workspaces, Yarn workspaces, pnpm workspaces) are supported.
NuGet
.NET projects may use Central Package Management through Directory.Packages.props. Multi-targeting projects (targeting multiple .NET frameworks like net6.0 and net8.0) may have different dependency trees per framework. Radar analyzes all declared target frameworks.
Maven
Maven uses a "nearest definition" dependency mediation strategy and does not use lock files. Radar analyzes the full POM hierarchy including parent POMs and BOM (Bill of Materials) imports to resolve effective dependency versions.
Gradle
Gradle's flexible build scripts can declare dependencies programmatically, making static analysis more challenging than Maven's declarative XML. When a gradle.lockfile is present, Radar uses it for accurate resolution. Android projects with extensive Jetpack component trees are fully supported.
pip
Python dependency management varies widely: plain requirements.txt, Pipenv with Pipfile.lock, or Poetry with poetry.lock. Radar supports all formats. Lock files provide the most accurate results since version ranges may not match your installed environment exactly.
Composer
Composer enforces lock files, making resolution highly deterministic. The composer.lock contains exact resolved versions for every package in the dependency tree.
Go Modules
Go's minimal version selection (MVS) algorithm selects the minimum satisfying version rather than the latest compatible version, so Go projects tend to use older (but explicitly chosen) dependency versions. Radar accounts for this when analyzing vulnerability exposure.
RubyGems
Bundler's Gemfile.lock provides a complete resolved dependency tree with exact versions. Ruby on Rails applications typically have extensive transitive dependency trees — Radar analyzes the full depth.
Next Steps
SCA Overview
How Radar's SCA engine works and what types of vulnerabilities it detects.
View SCA Findings
Navigate and filter SCA findings in your Radar project dashboard.
CVE Reference
CVE identifiers, CVSS scoring, and the vulnerability databases Radar uses.
Detect Vulnerable Dependencies
How Radar maps direct and transitive dependencies to identify vulnerable packages.