Prerequisites
The following lists the dependencies required by Qwiet preZero to correctly analyze your app/project. We recommend ensuring that the local workstation on which Qwiet preZero runs mirrors your development environment as closely as possible.
Browser requirements
Qwiet supports the latest versions of Google Chrome and Mozilla Firefox.
Language support and requirements
Qwiet preZero is capable of analyzing applications written in the following languages:
| Language | Versions supported | Extensions | Source/Compiled | Status | SCA |
|---|---|---|---|---|---|
| Apex | 52-60 | .cls | Source | Beta | N/A |
| C/C++ | .cpp,.c++,.cxx,.hp,.hpp,.hh,.h++,.hxx,.c,.cc,.ccm,.cxxm,.c++m,.cp,.h,.i,.tcc | Source | GA | N/A | |
| C# | C# 13 or earlier | .sln, .csproj, .cs, .cshtml, .xaml | Source | GA | Yes |
| Go | 1.12-1.24 | .go | Source | GA | Yes |
| Java | Java 7-11, 14-15, 17, 21 or 23 | .jar, .war, .ear, .jsp (if stored in jar) | Compiled | GA | Yes |
| Java | Java 21 or earlier | .java | Source | GA | Yes |
| JavaScript, TypeScript | ES6 | .js, .jsx, .cjs, .mjs, .xsjs, .xsjslib, .ts, .tsx,.vue, .ejs, .pug | Source | GA | Yes |
| Kotlin | 1.9.23 or earlier | .kt | Source | Beta | Yes |
| PHP | 5.4-8.3 | .php | Source | Beta | Yes |
| PL/SQL | 11g-12.2, 18c, 19c, 21c | .sql | Source | Beta | N/A |
| Python | 3.5 to 3.13 or later | .py | Source | GA | Yes |
| Ruby | 2.x, 3.x | .rb, Gemfile.lock | Source | Beta | Yes |
| Scala | Scala 2.12 or later | .jar, .war | Compiled | GA | Yes |
| Swift | 5.10.1 or earlier | .swift, .plist | Source | Alpha | Yes |
| Terraform | .tf | Source | GA | N/A |
⚠️ Qwiet preZero cannot analyze encrypted or obfuscated artifacts (e.g., encrypted/obfuscated JAR or WAR) or encrypted code.
SCA
preZero's SCA supports the following languages, build tools, and package managers.
| Language | Build tool/package format |
|---|---|
| C# | .sln, .csproj, packages.config, <project>.deps.json |
| Go | go.mod, go.sum, Gopkg.lock |
| Java/Scala | Maven (pom.xml), Gradle (build.gradle, .kts), Scala (.sbt) |
| Node.js | package-lock.json, pnpm-lock.yaml, yarn.lock, rush.json |
| Python | setup.py, requirements.txt, pipfile.lock, poetry.lock |
| Ruby | Gemfile, Gemfile.lock |
Language-specific requirements
- C/C++
- C#
- Go
- Java
- JS/TS
- Kotlin
- PHP
- Python
- Ruby
- Scala
- Terraform
Qwiet preZero supports the analysis of C and C++ applications on machines with Java 11 (or later) installed and at least 16 GB of memory available.
Optional: In the environment where you're running Qwiet AI, ensure that GCC and g++ are installed for auto-discovery of C/C++ system header files if included/used in your C/C++ code.
Supported frameworks
| Name | Category |
|---|---|
| C stdlib | Memory handling functions |
| curl | HTTP Client |
| libyaml | Data Serialization Library |
| mongo | Database Client |
| openssl | Cryptograhpic Library |
| talloc | Allocation Library |
Qwiet preZero is supported on Windows (arm64, x86, x64), Linux (arm64, x64), and macOS (arm64, x64). No extra installations besides the Qwiet CLI are required (see Installation) to run analyses.
We recommend running preZero on a machine with:
- At least 16 GB of memory available;
- At least 2 CPU cores;
- (on Linux) an up-to-date distribution, e.g. at least Cent OS 9.
Supported namespaces and frameworks:
Supported frameworks
| Name | Category |
|---|---|
| Abp | Web Framework |
| Amazon S3 | Cloud Storage Library |
| Amazon DynamoDB | Database Client Library |
| Amazon SQS | Queue Framework |
| Microsoft Azure Cosmos | Database Client Library |
| Microsoft Azure Storage | Cloud Storage Library |
| Microsoft Azure ServiceBus | Messaging Framework |
| Microsoft Azure WebJobs | Background Task Framework |
| Microsoft Azure Functions | Application Framework |
| Microsoft Data SqlClient | Database Client Library |
| Microsoft EntityFramework (Core) | Database Client Library, ORM |
| Microsoft ASP.NET (Core) | Web Framework |
| BouncyCastle | Cryptographic Library |
| Confluent/Kafka | Queue Framework |
| Couchbase | Database Client Library |
| Dapper | Database Client Library |
| Devart.Data.SQLite | Database Client Library |
| Flurl | HTTP Client Library |
| Google Protobuf | Serialization Library |
| IBM.Data.Db2 | Database Client Library |
| Google Cloud Storage | Cloud Storage Library |
| Jint | Script Engine |
| MessagePack | Serialization Library |
| MongoDB | Database Client Library |
| Mono.Data.Sqlite | filePath, sql, sqlConnection |
| MySql | Database Client Library |
| MySqlConnector | Database Client Library |
| Nest | Database Client Library |
| Newtonsoft.Json | Serialization Library |
| Npgsql | Database Client Library |
| Oracle Database | Database Client Library |
| Owin | Web Framework |
| RabbitMQ | Queue Framework |
| RestSharp | HTTP Client Library |
| SendGrid | Email Client Library |
| Serilog | Logging Library |
| ServiceStack | Web Service Client Library |
| StackExchange.Redis | Database Client Library |
| log4net | Logging Library |
| reactivecommons | Queue Framework |
preZero is also compatible with ASP.NET Core, Razor, and Blazor applications.
SCA: To identify open-source vulnerabilities in C# applications, Qwiet preZero requires one of the following package formats: .csproj, <project>.deps.json, packages.config.
Qwiet preZero supports the analysis of applications written in Go 1.12 - 1.23. Ensure that you've installed the correct version of Go for your app on the workstation where you're running preZero and that at least 16 GB of memory is available.
preZero only analyzes source code, not compiled applications, though the VM or the environment you use should support building Go applications correctly. Try building the Go application first using go build (or make build if you're using a Makefile) command before attempting code analysis.
Supported frameworks:
| Name | Type |
|---|---|
| andybalholm/brotli | Compression Library |
| aws/aws-sdk-go | Cloud Service SDK |
| Beego | Web Framework |
| cobra | CLI Library |
| codeskyblue/go-sh | Command Execution Library |
| confluentinc/confluent-kafka-go | queue, kafka |
| datadog/datadog-go | Metrics Client Library |
| davecgh/go-spew | Logging Library |
| Echo | Web Framework |
| fasthttp | Web Framework |
| gen2brain/go-unarr | Compression Library |
| georgysavva/scany | Database Client Library |
| getsentry/sentry-go | Logging Library |
| gin-gonic | Web Framework |
| go-chi | Web Framework |
| go-git | Git Library |
| go-gorp | Database Client Library |
| go-kit | Microservice Framework |
| go-openapi | Web API Framework |
| go-pg | Database Client Library |
| go-redis | Database Client Library |
| go-sql-driver | Database Client Library |
| gocarina/gocsv | CSV Library |
| golang-jwt | JWT Library |
| gomodule/redigo | Database Client Library |
| gorilla/mux | Web Server Library |
| hashicorp/go-retryablehttp | HTTP Client Library |
| html/template | Templating Library |
| HttpRouter | Web Server Library |
| jackc/pgx | Database Client Library |
| jinzhu/gorm | Database Client Library |
| jmoiron/sqlx | Database Client Library |
| logrus | Logging Library |
| net/http | HTTP Client and Server Library |
| nmcclain/ldap | LDAP Client Library |
| olivere/elastic | Database Client Library |
| rs/core | CORS Library |
| rs/zerolog | Logging Library |
| rye | HTTP Server Library |
| shurcool/graphql | Database Client Library |
SCA: To identify open-source vulnerabilities in Go applications, Qwiet preZero requires one of the following package formats: Gopkg.lock, go.mod, go.sum.
Qwiet preZero supports the analysis of Java source code written using Java 21 or earlier, and compiled Java applications written using Java 7-11, 14-15, 17, or 21. Your environment must have the following installed:
- Java SE Runtime Environment 8;
- The correct version of Java for your application;
- At least 16 GB of memory available.
When analyzing source code:
- Ensure that you also have JDK 11 installed on the machine where you're running preZero.
- Make sure that the tool used to build the app such as Maven/Gradle/sbt is installed on the workstation where you're running preZero (Apache Ant is not supported).
When analyzing compiled applications:
- Build the application before submitting to preZero.
Supported frameworks:
| Name | Category |
|---|---|
| Akka | Web Framework |
| Alibaba | Database |
| Amazon | Web framework, Database, Storage, Crypto |
| Android | Database, File handling, Logging, Code execution, Message handling |
| Apache | Utility library |
| Apache Sling | REST Web framework |
| Apache Struts | Web framework |
| aspectj | reflection |
| asynchttpclient | authenticate, httpClient, httpHeader, ssrf |
| atmosphere | executeCode, http, servletrequestwrapper |
| auth0 | crypto, unverifiedJWTParse |
| awspring | queue, queueName |
| azure | cloud, file, filePath, httpClientHeader, ssrf |
| Bouncycastle | Crypto Library |
| cloudfoundry | LDAP library |
| couchbase | Database NOSQL |
| cronutils | Cron job library |
| datastax | Database |
| Direct Web Remoting | Communication framework |
| dom4j | XML framework |
| dropbox | cloud, credentials, exception, filePath |
| dropwizard | Web service |
| eclipse | HTTP Server |
| elasticsearch | Database |
| esotericsoftware | deserialization, input, reflection, serialization |
| fasterxm | XML framework |
| feign | HTTP framework |
| Finagle | RPC Framework |
| flywaydb | Database |
| freemarker | Templating framework |
| github | File handling, HTTP requests, Templating |
| glassfish | HTTP requests, Authentication, Credentials, File handling |
| Crypto, Database, File handling, HTTP handling, Protobuf | |
| Google Cloud Pub/Sub | Messaging service |
| googlecode | HTTP handling, RPC handling |
| groovy/lang | Code Execution |
| grpc | Server side request forging |
| gRPC Spring Boot Starter | gRPC Framework |
| Guava | Utility library |
| hibernate | Database |
| http4k | HTTP handling |
| http4s | HTTP handling |
| hudson | HTTP handling, Secure configuration |
| Ibatis | Database |
| Jackson | XML framework |
| jakarta | Web Service |
| jasypt | Crypto Library |
| Java Runtime | Support for Authentication, Crypto, Code execution, network, HTTP connections, Database, Serialization, File handling, LDAP, Mail, XPath |
| javalin | HTTP library |
| JAX-RS / Jakarta RESTful Web Services | REST Web framework |
| JAX-WS / Jakarta XML Web Services | SOAP Web service |
| jaxen | Xpath library |
| jboss | HTTP handling, Serialization |
| jcraft | Utility library |
| jdom | XML library |
| jdom2 | XML library |
| jenkins | Task execution framework |
| jooq | Database |
| jpmml | XML library |
| json | JSON library (Scala) |
| jsoniter | JSON library |
| jsonwebtoken | JWT library |
| jsoup | HTTP handling and XML library |
| jxl | Utility library |
| kairosdb | Database |
| keycloak | Secure identity and access management. |
| lettuce | Database |
| lightcouch | Database |
| HTTP requests | |
| Log4j | Logging library |
| Log4s | Logging library |
| Loophole MVC (lmvc) | Application framework |
| mapdb | File handling |
| mariadb | Database |
| mashape | Serialization |
| micronaut | Microservices framework |
| microsoft | Cloud, Database, File handling |
| mongodb | NoSQL database |
| nanohttpd | Server library |
| neo4j | NoSQL database |
| netflix | Database |
| netscape | Support for Database, LDAP |
| netty | Network library |
| nimbusds | JOSE/JWT library |
| novell | Network library |
| ognl | Object-Graph Navigation Language library, support for code executioin |
| okhttp3 | HTTP request library |
| okio | Streaming library |
| opencsv | CSV library |
| opensaml | Authentication library |
| OpenSymphony | Web Framework |
| opensymphony | Web framework suite |
| oracle | Database |
| OSGI Dependency Injection | Dependency framework |
| play | Web framework |
| postgresql | Database |
| prometheus | Monitoring library |
| qos | Logging |
| quartz | Job scheduler library |
| rabbitmq | Message broker library |
| reactor | Streaming library |
| redis | Database |
| redisson | Database |
| RESTEasy | REST Web framework |
| restlet | REST framework |
| retrofit2 | HTTP/REST client library |
| rocksdb | Database |
| rsa | Cryptography |
| scala | Built in language features |
| scalikejdbc | Database |
| schlichtherle | File handling library |
| sendgrid | Email library |
| Servlets | Web framework |
| sf | XML library |
| simpleflatmapper | Data mapping library |
| slf4j | Logging library |
| slick | Database |
| Spark | web framework |
| Spring (boot, web, core, event, data, reactive, security, ...) | Web Framework |
| springfox | Support for insecure regex handling |
| squareup | Payment library |
| sun | Utility libraries, support for authentication, HTTP handling, LDAP, network, XML, Xpath |
| thoughtworks | XML and serialization support |
| thymeleaf | Templating engine |
| trilead | SSH library |
| twilio | Cloud platform APIs for SMS, voice and video. |
| Support for HTTP handling and serialization | |
| vertx | Java application framework |
| vmware | Support for serialization and HTTP handing |
| w3c | XML library |
| xmlunit | XML library |
| zeromq | Messaging library |
| zeroturnaround | Development library |
SCA: To identify open-source vulnerabilities in Java/Scala applications, Qwiet preZero requires one of the following package formats: Maven (pom.xml), Gradle (build.gradle, .kts), Scala (SBT)
Qwiet preZero supports the analysis of JavaScript and TypeScript applications. The environment where you run preZero must have:
- Node.js installed and added to your
PATH; - npm or yarn (for building your app) installed;
- At least 16 GB of memory available.
Before analyzing your application, please ensure your code builds correctly with npm or yarn. However, applications should not be built before invoking Qwiet. Qwiet automatically installs the project dependencies and builds the project with custom settings more suitable for security analysis. Performing npm build or even npm install beforehand would prevent Qwiet from working correctly; as such, execute Qwiet against a fresh copy of your application.
When analyzing TypeScript applications, you must have Node 16 (or later) installed.
Supported frameworks:
| Name | Category |
|---|---|
| Angular | Web Framework |
| apollo | GraphQL Client Library |
| arangojs | Database Client Library |
| autocannon | HTTP Client Library |
| AWS CDK | Cloud Infrastructure Provisioning |
| AWS Lambda | Application Framework |
| AWS SDK | Cloud Service Library |
| axios | HTTP Client Library |
| bcrypt | Crytographic Library |
| body-parser | HTTP Middleware |
| connect-mongo | Database Client Library |
| cookie | HTTP Middleware |
| cors | HTTP Middleware |
| cors-anywhere | HTTP Middleware |
| cross-fetch | HTTP Client Library |
| crypto-js | Crytographic Library |
| db | Database Client Library |
| Deno | JavaScript Runtime |
| Egg | Web Framework |
| EJS | Template Library |
| Electron | Application Framework |
| Express | HTTP Server Library |
| express-validator | HTTP Middleware |
| fastify | Web Framework |
| fs-extra | File System Library |
| GRPC | RPC Framework |
| hapi | Web Framework |
| Helmet | HTTP Middleware |
| joi | HTTP Middleware |
| jose | JWT Library |
| js-cookie | HTTP Middleware |
| js-yaml | Serialization Library |
| js-yaml | Serialization Library |
| json-to-graphql-query | GraphQL Client Library |
| jsonwebtoken | JWT Library |
| jwt-simple | JWT Library |
| knex | Database Client Library |
| koa | Web Framework |
| libxml | XML Library |
| lodash | Utility Library |
| loopback | Microservice Library |
| marsdb | Database Client Library |
| mikro-orm | Database Client Library |
| mongodb | Database Client Library |
| mongoose | Database Client Library |
| Multer | HTTP Middleware |
| mysql | Database Client Library |
| Needle | HTTP Client Library |
| needle | HTTP Client Library |
| NestJS | Web Framework |
| Next.js | Web Framework |
| node-fetch | HTTP Client Library |
| node-serialize | Serialization Library |
| Node.js | JavaScript Runtime |
| Nuxt | Web Framework |
| oracledb | Database Client Library |
| pg | Database Client Library |
| Pug | Template Library |
| pug | Templating Library |
| React | Frontend Framework |
| React Native | UI Framework |
| request | HTTP Client Library |
| request | HTTP Client Library |
| request-promise | HTTP Client Library |
| rxjs | Reactive Application Library |
| SAP Hana | Database Client Library |
| sendgrid | Email Client Library |
| Sequelize | Database Client Library |
| sequelize | Database Client Library |
| serve-index | HTTP Middleware |
| serve-index | HTTP Middleware |
| serve-static | HTTP Middleware |
| shelljs | Command Execution Library |
| sqlite3 | Database Client Library |
| sqs-consumer | Queue Framework |
| sqs-consumer | Queue Framework |
| superagent | HTTP Client Library |
| superagent | HTTP Client Library |
| Swig | Template Library |
| tRPC | RPC Framework |
| ts-md5 | Cryptographic Library |
| type-graphql | GraphQL Framework |
| TypeORM | Database Client Library |
| typeorm | Database Client Library |
| vm | Scripting Engine |
| Vue.js | Frontend Framework |
| winston | Logging Library |
| ws | WebSocket Library |
SCA: To identify open-source vulnerabilities in JavaScript (Node.js) applications, Qwiet preZero requires one of the following package formats: package-lock.json, pnpm-lock.yaml, yarn.lock, Rush.js.
If your repository doesn't include a package-lock.json or yarn.lock in the repository, then there are additional steps you must take to ensure that the SCA results you obtain are accurate.
Qwiet preZero supports the analysis of Kotlin applications for Android written using SDK versions 24-30. The environment on which preZero runs must:
- Have at least 16 GB of memory available;
- Have Java SE Runtime Environment 8 installed.
preZero for Kotlin runs on source code and does NOT require the target project to be built beforehand.
Supported frameworks
| Name | Category |
|---|---|
| kotlin-logging | Logging library |
| kotlin built in | Support for loggin, file handling |
Qwiet preZero supports the analysis of applications written using PHP 5.2-8.3. The environment on which preZero runs must have:
- At least 16 GB of memory available;
- Java SE Runtime Environment 11 installed;
- PHP 7.4 or higher installed.
In addition, the php executable should be available on the user's PATH.
Though normally available by default on most installations, the Phar and tokenizer modules for PHP also need to be enabled for the analysis to succeed.
This can be checked by running the command php -m (which lists all enabled PHP modules on the system), or by running sl check-environment --php, which will report an error if any of the requirements aren't met.
Supported frameworks
| Name | Type |
|---|---|
| ArangoDBClient | Database Bindings |
| Carbon | Time Library |
| curl | Web requests |
| Firebase php-jwt | JWT Library |
| Guzzle | HTTP client |
| Laravel | Web framework |
| Symfony | Web framework |
| Yii Framework | Web framework |
Qwiet preZero supports the analysis of applications written using Python 3.8 or later.
For Python 3.8 and 3.9, your build environment must have:
- Python 3.8 installed and available in your
PATH - Python 3.9 installed if that is what you're using to write your application
- For Linux users:
- The
python3.8-venvpackage installed; - A glibc-based operating system, such as Ubuntu or Debian, installed; we recommend using the latest Ubuntu release
- The
For Python 3.10 or later, your build environment must have:
- At least 16 GB of memory available;
- Java SE Runtime Environment 8 installed.
Supported frameworks:
| Name | Type |
|---|---|
| aiohttp | HTTP Client |
| aiopg | Database Library |
| AWS Lambda | Application Framework |
| boto3 | Cloud Service Client Library |
| csv | CSV Parser |
| Django | Web Framework |
| Django REST Framework | Web Framework Helpers |
| FastAPI | Web Framework |
| Flask | Web Framework |
| Flask-Classful | Web Framework Helpers |
| jinja2 | Template Engine |
| mysql | Database Client |
| psycopg2 | Database Client |
| redis | Database Client |
| Requests | HTTP Client |
| sqlalchemy | Database Client ORM |
| sqlite3 | Database Client |
| subprocess | Command Execution Library |
| Temporal IO | Application Framework |
| urllib | HTTP Client |
| werkzeug | HTTP Library |
SCA: To identify open-source vulnerabilities in Python applications, Qwiet preZero requires one of the following package formats: the Pipfile, requirements.txt, the requirements directory, poetry.lock or setup.py files
Qwiet preZero supports the analysis of applications written in Ruby 2.x and 3.x. The environment on which preZero runs must have:
- At least 16 GB of memory available;
- Java SE Runtime Environment 11 installed.
Supported frameworks:
| Name | Category |
|---|---|
| ActiveRecord | Database Client |
| net/http | HTTP CLient |
| OpenSSL | Cryptographic Library |
| Ruby on Rails | Web Framework |
| rexml | XML Library |
| Sinatra | Web Framework |
| sqlite3 | Database Client |
| xml-simple | XML Library |
| zeitwerk | Module/Class Loader |
Qwiet preZero supports the analysis of applications written in Scala 2.12 or later.
preZero's code analysis is performed on compiled application bytecode (not on source code). As such, you must build your application before analyzing the application with preZero. Some build tools you might consider include Maven, Gradle, sbt, etc.
SCA: To identify open-source vulnerabilities in Java/Scala applications, Qwiet preZero requires the following package formats: Maven (pom.xml), Gradle (build.gradle, .kts), Scala (SBT)
Qwiet preZero supports the analysis of Terraform projects on workstations with Docker Desktop installed and running.
If you're integrating preZero into a CI/CD system, you must use a Linux build agent. When integrating into Azure Pipelines or GitHub Actions, make sure that you use ubuntu-latest as the VM image:
runs-on: ubuntu-latest
If you cannot use ubuntu-latest as the VM image, you may be able to use a Docker-based invocation (though few CI systems, such as GitHub Actions, support this approach). To use a Docker-based invocation, include the --use-docker flag as part of your sl analyze command:
sl analyze --app appName --use-docker --terraform .
Other tools, frameworks, and versions
If you use a framework (or a different version from the ones listed above), it may be compatible with Qwiet. Please contact us for additional details.