Skip to main content
Skip table of contents

Configure SCA Reachability for GitHub.com

Overview

The Mend Reachability tool helps you assess the effectiveness of security vulnerabilities associated with open-source components, to prioritize fixing those vulnerabilities. 

We want to reduce developers' security burden by utilizing Mend.io’s innovative differentiation - reachability analysis - easily, as part of the GitHub Repository Integration. This will enable developers to focus on fixing the reachable vulnerabilities in their repository.

In the real world, a medium but reachable vulnerability might be prioritized higher by developers than a critical but unreachable vulnerability.

This article will explain about Mend.io’s Reachability technology in the GitHub.com integration and how to use it.

If you’re an SCA user tasked with fixing vulnerabilities detected in your GitHub.com repositories or creating tasks for others to fix them, this article is for you.

Getting it done

Prerequisites before getting started with Reachability

Scanning in the GitHub.com repository integration

Use case for Reachability

The initial use case for reachability is that a repo scan includes a “reachability scan” step. This means that the scan may take longer. In the end, the repo scan results will be enriched with reachability information - the scan report will include a visual indication on whether the listed vulnerability is reachable or not.
Once enabled, the reachability indication will be visible as part of the post-scan reports.

Configure Reachability

To enable reachability analysis as part of the Mend repository integration, the .whitesource file needs to be updated.

Enable Reachability

  • Set the enableReachability parameter (located under the scanSettings within the .whitesource file) to true

Viewing results in the repo integration

The Reachability results will be visible in 3 locations within the repository:

  1. Checkrun results (Security Check)

  2. GitHub Issues

  3. Pull Requests

image-20240322-111946.png

1. Reachability Status in the Security Check

image-20240322-113108.png

2. Reachability Status in the GitHub Issue

image-20240322-112517.png

3. Reachability Status in the Pull Request

Viewing the results in the Mend Core Application UI

Kindly follow this article for the full details.

Reachability parameters

reachabilityScanDelayHours parameter (located under the scanSettings within the .whitesource file) defines the time interval for which code commits including changes to the existing supported source files will trigger an SCA + reachability check run.

  • The default value is 48 hours

  • The minimum value that can be set is 24 hours

Reference

Regular Mend SCA check runs are triggered on code commits that include one of the following:

  • Changes to packages (manifest) files

  • Addition or deletion of supported source files

When reachability is enabled, each Mend SCA check run will include reachability analysis and will be triggered on code commits with the following logic:

  • Changes to packages (manifest) files (same as regular SCA check runs)

  • Addition or deletion of supported source files (same as regular SCA check runs)

  • Changes to existing supported source files - after an elapsed time interval has passed (new for reachability)

Parameters

Repository level parameters (scanSettings)

Parameter

Type

Description

enableReachability

Boolean

Required to enable Mend Reachability scan

reachabilityScanDelayHours

Float

Optional. Default Value: 48. Specifies the time interval for triggering an SCA + Reachability check run after code commits that include changes to the existing supported source files.

  • The minimum value that can be set is 24 hours

Check Run Settings (checkRunSettings)

Parameter

Type

Description

strictMode

String

Optional. Default Value: none. Controls the messaging and status of security and license checks in the case of partial scan results (i.e. Mend Scanner experienced issues pulling some of the project’s dependencies during the scan). The available parameter values are:

  • none - When a scan concludes with partial results:

    • No message is shown in the check description.

    • The check status is not affected.

  • warning - When a scan concludes with partial results:

    • A message alerting to the partial results is included in the check description. When possible, the message will also include detailed information and error logs on the cause of the partial results.

    • Partial result details include warning and error messages in the check run.

    • Check run does not fail based on warning or error messages.

    • A project tag "scanError" is not populated with package managers' names.

      • If there was a tag previously → it is removed with the next scan job

  • failure - When a scan concludes with partial results:

    • A message alerting to the partial results is included in the check description. When possible, the message will also include detailed information and error logs on the cause of the partial results.

    • Partial result details include warning and error messages in the check run.

    • Check run fails only on error messages, not on warnings.

    • A project tag "scanError" includes only error-level package managers.

  • failOnWarning - When a scan concludes with partial results:

    • Partial result details include warning and error messages in the check run.

    • Check run fails on both warning and error messages.

    • A project tag "scanError" lists package managers with warnings or errors.

Note: For strictMode to work, the vulnerableCheckRunConclusionLevel and licenseCheckRunConclusionLevel parameters must be set to failure or not used.

strictModeInfo

Boolean

Optional. Default Value: false. Controls the inclusion of INFO logs in the Scan Details report.

  • When set to true, this allows info-level messages in all strict modes except none.

Mend Reachability - supported languages

The following languages and their package managers are supported for scanning dependencies with Mend Reachability for GitHub.com .

Language

Package Manager

Details

Java

Gradle

Configuration file(s): build.gradle, settings.gradle

Java

Maven

Configuration file(s): settings.xml

JavaScript

npm

Configuration file(s): package.json

JavaScript

Yarn

Configuration file(s): package.json

Python

pip

Configuration file(s): requirements.txt

Python

Pipenv

Configuration file(s): Pipfile & Pipfile.lock

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.