Configure SCA Reachability for GitHub.com

Overview

The Mend Reachability tool helps you assess the effectiveness of security vulnerabilities associated with open-source components, to prioritize fixing those vulnerabilities. 

We want to reduce developers' security burden by utilizing Mend.io’s innovative differentiation - reachability analysis - easily, as part of the GitHub Repository Integration. This will enable developers to focus on fixing the reachable vulnerabilities in their repository.

In the real world, a medium but reachable vulnerability might be prioritized higher by developers than a critical but unreachable vulnerability.

This article will explain about Mend.io’s Reachability technology in the GitHub.com integration and how to use it.

If you’re an SCA user tasked with fixing vulnerabilities detected in your GitHub.com repositories or creating tasks for others to fix them, this article is for you.

Getting it done

Prerequisites before getting started with Reachability

• Java repository that uses Maven/Gradle OR JavaScript repository that uses npm/Yarn
  Note that Reachability relies on the existence of the following elements in the repository:

  1. Source code files (e.g., .java, .js).

  2. Manifest files (e.g., pom.xml, package.json).

• GitHub.com repository integration

Scanning in the GitHub.com repository integration

Use case for Reachability

The initial use case for reachability is that a repo scan includes a “reachability scan” step. This means that the scan may take longer. In the end, the repo scan results will be enriched with reachability information - the scan report will include a visual indication on whether the listed vulnerability is reachable or not.
Once enabled, the reachability indication will be visible as part of the post-scan reports.

Configure Reachability

To enable reachability analysis as part of the Mend repository integration, the .whitesource file needs to be updated.

Enable Reachability

• Set the enableReachability parameter (located under the scanSettings within the .whitesource file) to true

Viewing results in the repo integration

The Reachability results will be visible in 3 locations within the repository:

1. Checkrun results (Security Check)

2. GitHub Issues

3. Pull Requests 

Viewing the results in the Mend Platform UI

Kindly follow this article for the full details.

Reachability parameters

reachabilityScanDelayHours parameter (located under the scanSettings within the .whitesource file) defines the time interval for which code commits including changes to the existing supported source files will trigger an SCA + reachability check run.

• The default value is 48 hours

• The minimum value that can be set is 4 hours

Reference

Regular Mend SCA check runs are triggered on code commits that include one of the following:

• Changes to packages (manifest) files

• Addition or deletion of supported source files

When reachability is enabled, each Mend SCA check run will include reachability analysis and will be triggered on code commits with the following logic:

• Changes to packages (manifest) files (same as regular SCA check runs)

• Addition or deletion of supported source files (same as regular SCA check runs)

• Changes to existing supported source files - after an elapsed time interval has passed (new for reachability)

Parameters

Repository level parameters (scanSettings)

Check Run Settings (checkRunSettings)

Parameter	Type	Description
strictMode	String	Optional. Default Value: none. Controls the messaging and status of security and license checks in the case of partial scan results (i.e. Mend Scanner experienced issues pulling some of the project’s dependencies during the scan). The available parameter values are: none - When a scan concludes with partial results: No message is shown in the check description. The check status is not affected. warning - When a scan concludes with partial results: A message alerting to the partial results is included in the check description. When possible, the message will also include detailed information and error logs on the cause of the partial results. Partial result details include warning and error messages in the check run. Check run does not fail based on warning or error messages. A project tag "scanError" is not populated with package managers' names. If there was a tag previously → it is removed with the next scan job failure - When a scan concludes with partial results: A message alerting to the partial results is included in the check description. When possible, the message will also include detailed information and error logs on the cause of the partial results. Partial result details include warning and error messages in the check run. Check run fails only on error messages, not on warnings. A project tag "scanError" includes only error-level package managers. failOnWarning - When a scan concludes with partial results: Partial result details include warning and error messages in the check run. Check run fails on both warning and error messages. A project tag "scanError" lists package managers with warnings or errors. Note: For strictMode to work, the vulnerableCheckRunConclusionLevel and licenseCheckRunConclusionLevel parameters must be set to failure or not used.
strictModeInfo	Boolean	Optional. Default Value: false. Controls the inclusion of INFO logs in the Scan Details report. When set to true, this allows info-level messages in all strict modes except none.

Mend Reachability - supported languages

The following languages and their package managers are supported for scanning dependencies with Mend Reachability for GitHub.com.