Configure SCA Reachability in Azure DevOps

Overview

The Mend Reachability tool helps you assess the effectiveness of security vulnerabilities associated with open-source components, to prioritize fixing those vulnerabilities. 

We want to reduce developers' security burden by utilizing Mend.io’s innovative differentiation - reachability analysis - easily, as part of the Mend Developer Platform. This will enable developers to focus on fixing the reachable vulnerabilities in their repository.

In the real world, a medium but reachable vulnerability might be prioritized higher by developers than a critical but unreachable vulnerability.

This article will explain about Mend.io’s Reachability technology in the Mend Developer Platform and how to use it.

Getting it done

Prerequisites before getting started with Reachability

• Mend Developer Platform installed with a Mend paid account connected to your source code repository.

• A repository that uses one of the supported package managers.
  Note that Reachability relies on the existence of the following elements in the repository:

  1. Source code files (e.g., .java, .js).

  2. Manifest files (e.g., pom.xml, package.json).

Scanning in the Mend Developer Platform with Reachability

Use case for Reachability

The initial use case for reachability is that a repo scan includes a “reachability scan” step. This means that the scan may take longer. In the end, the repo scan results will be enriched with reachability information - the scan report will include a visual indication on whether the listed vulnerability is reachable or not.
Once enabled, the reachability indication will be visible as part of the post-scan reports.

Enable Reachability

1. To enable Reachability scans on the Mend Developer Platform, navigate to the organization or project settings.

   

2. Choose Dependencies from the left navigation menu.

3. Scroll down and enable the Reachability toggle, and set up the scan delay, which defines the time interval for which code commits, including changes to the existing supported source files, will trigger an SCA and Reachability check run

4. Click SAVE.

   

Viewing results in the Mend Developer Platform

The Reachability results will be visible in the following locations within the repository:

1. Check Run results (Security Check)

2. Work Items (Azure DevOps) / Issues (Bitbucket and GitHub)

Viewing the results in the Mend Platform UI

Kindly follow this article for the full details.

Reference

Regular Mend SCA check runs are triggered on code commits that include one of the following:

• Changes to packages (manifest) files

• Addition or deletion of supported source files

When reachability is enabled, each Mend SCA check run will include reachability analysis and will be triggered on code commits with the following logic:

• Changes to packages (manifest) files (same as regular SCA check runs)

• Addition or deletion of supported source files (same as regular SCA check runs)

• Changes to existing supported source files - after an elapsed time interval has passed (new for reachability)

Supported Languages

The Reachability Supported column in the the table below indicates which languages and package managers are Reachability-supported in the Mend Developer Platform.