Configure SCA Reachability for Mend Developer Platform
Overview
The Mend Reachability tool helps you assess the effectiveness of security vulnerabilities associated with open-source components, to prioritize fixing those vulnerabilities.
We want to reduce developers' security burden by utilizing Mend.io’s innovative differentiation - reachability analysis - easily, as part of the Mend Developer Platform. This will enable developers to focus on fixing the reachable vulnerabilities in their repository.
In the real world, a medium but reachable vulnerability might be prioritized higher by developers than a critical but unreachable vulnerability.
This article will explain about Mend.io’s Reachability technology in the Mend Developer Platform and how to use it.
Getting it done
Prerequisites before getting started with Reachability
Mend Developer Platform installed with a Mend paid account connected to your source code repository.
A repository that uses one of the supported package managers.
Note that Reachability relies on the existence of the following elements in the repository:Source code files (e.g., .java, .js).
Manifest files (e.g., pom.xml, package.json).
Scanning in the Mend Developer Platform with Reachability
Use case for Reachability
The initial use case for reachability is that a repo scan includes a “reachability scan” step. This means that the scan may take longer. In the end, the repo scan results will be enriched with reachability information - the scan report will include a visual indication on whether the listed vulnerability is reachable or not.
Once enabled, the reachability indication will be visible as part of the post-scan reports.
Enable Reachability
To enable Reachability scans on the Mend Developer Platform, navigate to the Workspace or Project settings menu.
Navigate to Depedencies in the left navigation menu.
Enable the Reachability toggle, and set up the scan delay, which defines the time interval for which code commits, including changes to the existing supported source files, will trigger an SCA and Reachability check run
Click SAVE.
Viewing results in the Mend Developer Platform
The Reachability results will be visible in 3 locations within the repository:
Check Run results (Security Check)
Azure DevOps Work Items / Bitbucket Issues
1. Reachability Status in the Security Check
2. Reachability Status in the Issue
Viewing the results in the Mend Platform UI
Kindly follow this article for the full details.
Reference
Regular Mend SCA check runs are triggered on code commits that include one of the following:
Changes to packages (manifest) files
Addition or deletion of supported source files
When reachability is enabled, each Mend SCA check run will include reachability analysis and will be triggered on code commits with the following logic:
Changes to packages (manifest) files (same as regular SCA check runs)
Addition or deletion of supported source files (same as regular SCA check runs)
Changes to existing supported source files - after an elapsed time interval has passed (new for reachability)
Supported Languages
The following languages and their package managers are supported for scanning dependencies with SCA Reachability for the Mend Developer Platform.
Language | Package Manager | Details |
|---|---|---|
DotNet | Nuget | Configuration file(s): .nuspec, packages.config, .csproj, project.assets.json, packages.lock.json |
Java | Gradle | Configuration file(s): build.gradle, settings.gradle |
Java | Maven | Configuration file(s): pom.xml, settings.xml |
JavaScript | npm | Configuration file(s): package.json, package-lock.json |
JavaScript | Yarn | Configuration file(s): package.json, yarn.lock |
JavaScript | Lerna (repo only) | Configuration file(s): |
JavaScript | pnpm (repo only) | Configuration file(s): |
Python | pip | Configuration file(s): requirements.txt |
Python | Pipenv | Configuration file(s): Pipfile & Pipfile.lock |
Python | Poetry | Configuration file(s): pyproject.toml, poetry.lock |
Supported versions of each language or package manager are listed here.