Prerequisites
The following lists the dependencies required by Qwiet preZero to correctly analyze your app/project. We recommend ensuring that the local workstation on which Qwiet preZero runs mirrors your development environment as closely as possible.
Browser requirements
Qwiet supports the latest versions of Google Chrome and Mozilla Firefox.
Language support and requirements
Qwiet preZero is capable of analyzing applications written in the following languages:
| Language | Versions supported | Extensions | Source/Compiled | Status | SCA |
|---|---|---|---|---|---|
| C/C++ | .c | Source | GA | N/A | |
| C# | C# 12 or earlier | .sln, .csproj | Source | GA | Yes |
| Go | 1.12-1.22 | .go | Source | GA | Yes |
| Java | Java 7-11, 14-15, 17, or 21 | .jar, .war | Compiled | GA | Yes |
| Java | Java 17 or earlier | .java | Source | Beta | Yes |
| JavaScript, TypeScript | ES6 | .js, .ts | Source | GA | Yes |
| Kotlin | SDK 24-40 | .kt | Source | Beta | Yes |
| PHP | 5.2-8.3 | .php | Source | Beta | Yes |
| Python | 3.8 or later | .py | Source | GA | Yes |
| Ruby | 2.x, 3.x | .rb | Source | Beta | Yes |
| Scala | Scala 2.12 or later | .jar, .war | Compiled | GA | Yes |
| Terraform | .tf | Source | GA | N/A |
⚠️ Qwiet preZero cannot analyze encrypted or obfuscated artifacts (e.g., encrypted/obfuscated JAR or WAR) or encrypted code.
SCA
preZero's SCA supports the following languages, build tools, and package managers.
| Language | Build tool/package format |
|---|---|
| C# | .sln, .csproj, packages.config, <project>.deps.json |
| Go | go.mod, go.sum, Gopkg.lock |
| Java/Scala | Maven (pom.xml), Gradle (build.gradle, .kts), Scala (.sbt) |
| Node.js | package-lock.json, pnpm-lock.yaml, yarn.lock, rush.json |
| Python | setup.py, requirements.txt, pipfile.lock, poetry.lock |
| Ruby | Gemfile, Gemfile.lock |
Language-specific requirements
- C/C++
- C#
- Go
- Java
- JS/TS
- Kotlin
- PHP
- Python
- Ruby
- Scala
- Terraform
Qwiet preZero supports the analysis of C and C++ applications on machines with Java 11 (or later) installed and at least 16 GB of memory available.
Optional: In the environment where you're running Qwiet AI, ensure that GCC and g++ are installed for auto-discovery of C/C++ system header files if included/used in your C/C++ code.
Qwiet preZero is supported on Windows (arm64, x86, x64), Linux (arm64, x64), and macOS (arm64, x64). To run analyses on Linux and Windows, no extra installations besides the Qwiet CLI are required (see Installation). To run analyses on macOS, a .NET runtime of .NET 6 or later must also be installed.
Machine requirements: We recommend running preZero on a machine with a minimum of 4 GB RAM and 2 CPU Cores. For each subsequent 100,000 lines of code you submit for analysis, we recommend an additional 2 GB RAM and 1+ CPU Core.
| Lines of code | CPUs | RAM |
|---|---|---|
| <100k | 3 cores | 6 GB |
| >100k | 4 cores | 8 GB |
| >200k | 5 cores | 10 GB |
| +100k | +1 core | +2 GB |
For example, if your application contains 200,000 lines of code, we recommend that the machine you use has 8 GB RAM and 4 CPU cores.
Supported namespaces and frameworks:
preZero is compatible with C# apps that utilize the following namespaces:
- System.Web.Mvc
- System.Web.Http
- System.Web.UI
- System.ServiceModel
- System.ServiceModel.Web
- System.Data
preZero is also compatible with ASP.NET Core, Razor, and Blazor applications.
SCA: To identify open-source vulnerabilities in C# applications, Qwiet preZero requires one of the following package formats: .csproj, <project>.deps.json, packages.config.
Qwiet preZero supports the analysis of applications written in Go 1.12 - 1.22. Ensure that you've installed the correct version of Go for your app on the workstation where you're running preZero and that at least 16 GB of memory is available.
preZero only analyzes source code, not compiled applications, though the VM or the environment you use should support building Go applications correctly. Try building the Go application first using go build (or make build if you're using a Makefile) command before attempting code analysis.
Supported frameworks:
SCA: To identify open-source vulnerabilities in Go applications, Qwiet preZero requires one of the following package formats: Gopkg.lock, go.mod, go.sum.
Qwiet preZero supports the analysis of Java source code written using Java 7-11, 14-15, or 17, and compiled Java applications written using Java 7-11, 14-15, 17, or 21. Your environment must have the following installed:
- Java SE Runtime Environment 8;
- The correct version of Java for your application;
- At least 16 GB of memory available.
When analyzing source code:
- Ensure that you also have JDK 11 installed on the machine where you're running preZero.
- Make sure that the tool used to build the app such as Maven/Gradle/sbt is installed on the workstation where you're running preZero (Apache Ant is not supported).
When analyzing compiled applications:
- Build the application before submitting to preZero.
Supported frameworks:
| Framework | Supported versions | Notes |
|---|---|---|
| Akka (Java API) | 2.5.x | |
| Akka (Scala API) | 2.5.x | |
| Dropwizard | 1.x, 2.x | |
| Eclipse Vert.x | 3.x | |
| Google Web Toolkit (GWT) | 2.8.x | |
| Jakarta Servlet | 3.x | |
| JAX-RS | 1.x, 2.x | |
| JAX-WS | 2.x | |
| JSF | 2.x | |
| Play (Java API) | 2.4.x, 2.5.x, 2.6.x, 2.7.x | |
| Play (Scala API) | 2.5.x, 2.6.x, 2.7.x | |
| Spark | 2.7.x, 2.8.x, 2.9.x | Refers to the micro web framework, not the Apache Spark project |
| Spring MVC | 3.x, 4.x, 5.x | |
| Spring WebFlux | 5.x | |
| Struts | 2.x | |
| Struts XWork2 | 2.x |
SCA: To identify open-source vulnerabilities in Java/Scala applications, Qwiet preZero requires one of the following package formats: Maven (pom.xml), Gradle (build.gradle, .kts), Scala (SBT)
Qwiet preZero supports the analysis of JavaScript and TypeScript applications. The environment where you run preZero must have:
- Node.js installed and added to your
PATH; - npm or yarn (for building your app) installed;
- At least 16 GB of memory available.
Before analyzing your application, please ensure your code builds correctly with npm or yarn. However, applications should not be built before invoking Qwiet. Qwiet automatically installs the project dependencies and builds the project with custom settings more suitable for security analysis. Performing npm build or even npm install beforehand would prevent Qwiet from working correctly; as such, execute Qwiet against a fresh copy of your application.
When analyzing TypeScript applications, you must have Node 16 (or later) installed.
Supported frameworks:
| Framework | Supported versions | Notes |
|---|---|---|
| Angular.JS (legacy) | 1.x | Limited support |
| Angular | 9 and 10 | Full framework support |
| Angular Next | 11 | Limited support |
| Ember.js | 3.x | Limited support |
| Express | 4.x | Full framework support |
| Express Next | 5.0 | Full framework support |
| Knex.js | > 0.20.x | Limited support |
| Next.js | 9 and 10 | Limited support |
| Nuxt | 2 | Limited support |
| React | Up to 16.5 | Full framework support |
| React Next | > 16.6, 17.0.x | Limited support |
| Node.js LTS | > 12, 14.x | Full framework support |
| Node.js Current | 15.x | Limited support |
| Vue.js | 2.x | Full framework support for v2.x (v3.x is in testing) |
SCA: To identify open-source vulnerabilities in JavaScript (Node.js) applications, Qwiet preZero requires one of the following package formats: package-lock.json, pnpm-lock.yaml, yarn.lock, Rush.js.
If your repository doesn't include a package-lock.json or yarn.lock in the repository, then there are additional steps you must take to ensure that the SCA results you obtain are accurate.
Qwiet preZero supports the analysis of Kotlin applications for Android written using SDK versions 24-30. The environment on which preZero runs must:
- Have at least 16 GB of memory available;
- Have Java SE Runtime Environment 8 installed.
preZero for Kotlin runs on source code and does NOT require the target project to be built beforehand.
Qwiet preZero supports the analysis of applications written using PHP 5.2-8.2. The environment on which preZero runs must have:
- At least 16 GB of memory available;
- Java SE Runtime Environment 11 installed;
- PHP 7.1.0 or higher installed.
In addition, the php executable should be available on the user's PATH.
Though normally available by default on most installations, the Phar and tokenizer modules for PHP also need to be enabled for the analysis to succeed.
This can be checked by running the command php -m (which lists all enabled PHP modules on the system), or by running sl check-environment --php, which will report an error if any of the requirements aren't met.
Qwiet preZero supports the analysis of applications written using Python 3.8 or later.
For Python 3.8 and 3.9, your build environment must have:
- Python 3.8 installed and available in your
PATH - Python 3.9 installed if that is what you're using to write your application
- For Linux users:
- The
python3.8-venvpackage installed; - A glibc-based operating system, such as Ubuntu or Debian, installed; we recommend using Ubuntu 20.04
- The
For Python 3.10 or later, your build environment must have:
- At least 16 GB of memory available;
- Java SE Runtime Environment 8 installed.
Supported frameworks:
| Framework | Supported versions | Notes |
|---|---|---|
| aiohttp | 3.x | Limited support |
| Bottle | 0.12-0.13 | Limited support |
| CherryPy | 18.x | Limited support |
| Django | 3.x | Full framework support |
| Django REST Framework | 3.x | Limited support |
| Falcon | 3.x | Limited support |
| Flask | 1.x | Full framework support |
| Hug | 2.x | Limited support |
| Pyramid | 2.x | Limited support |
| Sanic | 21.x | Limited support |
| Tornado | 6.x | Limited support |
| Vibora | 0.0.6 | Limited support |
SCA: To identify open-source vulnerabilities in Python applications, Qwiet preZero requires one of the following package formats: the Pipfile, requirements.txt, the requirements directory, poetry.lock or setup.py files
Qwiet preZero supports the analysis of applications written in Ruby 2.x and 3.x. The environment on which preZero runs must have:
- At least 16 GB of memory available;
- Java SE Runtime Environment 11 installed.
Supported frameworks:
| Framework | Supported versions | Notes |
|---|---|---|
| Ruby on Rails | 6.x, 7.x | Limited support |
Qwiet preZero supports the analysis of applications written in Scala 2.12 or later.
preZero's code analysis is performed on compiled application bytecode (not on source code). As such, you must build your application before analyzing the application with preZero. Some build tools you might consider include Maven, Gradle, sbt, etc.
SCA: To identify open-source vulnerabilities in Java/Scala applications, Qwiet preZero requires the following package formats: Maven (pom.xml), Gradle (build.gradle, .kts), Scala (SBT)
Qwiet preZero supports the analysis of Terraform projects on workstations with Docker Desktop installed and running.
If you're integrating preZero into a CI/CD system, you must use a Linux build agent. When integrating into Azure Pipelines or GitHub Actions, make sure that you use ubuntu-20.04 as the VM image:
runs-on: ubuntu-20.04
If you cannot use ubuntu-20.04 as the VM image, you may be able to use a Docker-based invocation (though few CI systems, such as GitHub Actions, support this approach). To use a Docker-based invocation, include the --use-docker flag as part of your sl analyze command:
sl analyze --app appName --use-docker --terraform .
Other tools, frameworks, and versions
If you use a framework (or a different version from the ones listed above), it may be compatible with Qwiet. Please contact us for additional details.