Recommended Steps
- Adopt Conan (or Another Manager)
If you rely on external libraries, use a package manager like Conan that can produceconan.lock. - Generate & Commit conan.lock
- Ensure you have a Conan profile set up:
conan profile detect(if needed) - Run
conan lock create . --lockfile-out=conan.lockto produce the lockfile. - Run
conan installto install dependencies using your lockfile. - Commit
conan.lockso everyone uses the exact same library versions.
- Ensure you have a Conan profile set up:
- Keep a Clean Codebase
Add any.deps/or build artifacts to.gitignoreso that only the lockfile and source are tracked.
Why You Should Use Lockfiles
Using a lockfile is critical for secure and predictable builds. A lockfile contains a fixed version and a hash for each dependency and sub-dependency in your project.- Supply Chain Protection
Lockfiles prevent malicious package injections. This is crucial as supply chain attacks are rising. - Predictable Builds
Everyone uses the exact same package versions, avoiding “it works on my machine” inconsistencies. - Performance Gains
With dependency versions locked, build tools skip the usual resolution step, making builds faster.
Lockfiles are never edited manually. They’re generated and updated by your package manager and committed to your repository, ensuring consistent environments for all teammates.
Generating a Conan Lockfile
For Conan 2.x projects, use the following command in your project directory:Supported Files for C/C++
| File Examples |
|---|
conan.lock, CMakeLists.txt, .cpp, .h, conanfile.py, conanfile.txt |
CybeDefend can detect vulnerabilities in known C/C++ libraries if your lockfile references them. Without a lockfile, your scanning might be incomplete or prone to version ambiguity.