Threatrix

RENV

This is the documentation for the RENV dependency manager for R language

Dependencies

Threatrix RENV support requires RENV to be installed on the machine on which the Threat Agent is running. If not already installed, you may install RENV with the following command:

R -e "install.packages(\"renv\")"

Setup

Threatrix RENV support requires an renv.lock file to be present in order to create the bill of materials. If one is not present, it may be created using the following instructions. Once created, it should be committed and managed with your other repository code. Create a file named create-renv-lock in the same directory as the DESCRIPTION file and add the following contents:

# R script for RENV dependency manager that creates package lock file

dependency.errors <- getOption("renv.config.dependency.errors")
install.transactional <- getOption("renv.config.install.transactional")
snapshot.validate <- getOption("renv.config.snapshot.validate")

options(renv.config.dependency.errors = "ignore")
options(renv.config.install.transactional = FALSE)
options(renv.config.snapshot.validate = FALSE)

renv::init(
    settings = list(snapshot.type = "explicit")
)
renv::snapshot(force=TRUE, type="explicit")


options(renv.config.dependency.errors = dependency.errors)
options(renv.config.install.transactional = install.transactional)
options(renv.config.snapshot.validate = snapshot.validate)

From the same directory with the create-renv-lock, run: R --vanilla -s -q -f ./create-renv-lock

An renv.lock file should be created and present in the same directory as your DESCRIPTION file. The renv.lock should be updated whenever your DESCRIPTION file is updated and committed to your source repo so that it's available with each scan.

Usage

No additional steps are necessary. Simply run Threatrix Threat Agent and it will create the associated bill of materials using RENV.

Errors and Runtime Issues

Timeouts During Executing

If you're seeing timeouts while running the Threat Agent in an environment with RENV, but without the required renv.lock file, we will attempt to create the renv.lock, which may lead to timeouts after 15 minutes.

Best practice is to ensure that your team creates the necessary renv.lock and commits it to your repo so that our agent does not have to recreate with every scan.

PreviousDependency ManagersNextBuild Integrations

Last updated