Insights on Scan Errors and Warnings for Mend Repository Integrations

Overview

The enhanced insights view into the scanning process of Mend’s Repository Integrations scans was created to provide visibility into the different meaningful stages of SCA detection.

This is intended to provide an enterprise-level detection solution with visibility over the different stages of the scan, allowing users to be proactive in fixing any problems for optimized results.

When a project is scanned, various scanner-related issues can surface, leading to incomplete scans. This report flags errors and exceptions encountered during different stages of scanning, such as:

Cloning of repositories
Pulling from private registries
Executing package manager commands

By providing this detailed breakdown, users can quickly identify and address any issues that might impact the scanning process.

What type of information is included in the report?

During the scanning process, our system navigates through several stages critical for accurately pulling and scanning projects. These stages include tasks such as verifying connectivity to the scanning registry, configuring scanner settings, preparing the project for scanning and resolving any encountered issues.

The Stages

The different stages include:

Checking registry connectivity - Performing connectivity checks for defined private registries. Issues at this step would be classified as warnings, as a failed connectivity check does not necessarily mean a failure to scan the project, as the project may not contain any private dependencies.
Setting the scanner configuration - Adding any additional configuration to the scanner in preparation for the scan. Issues at this step would be classified as warnings, as a failure to configure one of the settings does not necessarily mean a failure to scan the project, as the project may not require this setting to resolve successfully.
Preparing the project for scan - Running any initial commands, such as generating a lock file if such file is not present and is required for the resolution. Issues at this step would be classified as warnings, as a failure to prepare the project does not necessarily mean a failure to scan, as the project may not require this preparation to resolve successfully.
Resolving the project - Running package manager commands or parsing lock files intended to resolve the project dependencies. Issues at this step would be classified as either warnings or errors, depending on the severity, as a failure to perform this stage may result in a complete failure to resolve this project.

For each stage, multiple errors or warnings can be displayed in the scan:

ERROR - Complete failure of the attempt to resolve a project. Resolving the project failed completely, there are 0 results on this project, if this was the only project in the scan, the scan would return 0 with a failure.
WARNING - Partial results. Resolving the project was not fully successful. Some dependencies might be missing from the project. This could be because a workaround was used or because the resolution only succeeded partially.
INFO - There is no impact on the results.

Supported Package Managers

Language	Package Manager
Java	Maven
JavaScript	npm
C#	NuGet
Swift	Swift
Python	Pip, Pipenv, Poetry

Note: Package Managers not listed in the table will only display severe issues resulting in errors.

Getting it done

How to enable

In .whitesource config (or repo-config.json in case of global configuration) use the strictMode parameter to enable the reports as part of the Security Check description.

Parameter

Type

Description

strictMode

String

Optional. Default Value: none. Controls the messaging and status of security and license checks in the case of partial scan results (i.e. Mend Scanner experienced issues pulling some of the project’s dependencies during the scan). The available parameter values are:

none - When a scan concludes with partial results:
- No message is shown in the check description.
- The check status is not affected.
warning - When a scan concludes with partial results:
- A message alerting to the partial results is included in the check description. When possible, the message will also include detailed information and error logs on the cause of the partial results.
- Partial result details include warning and error messages in the check run.
- Check run does not fail based on warning or error messages.
- A project tag "scanError" is not populated with package managers' names.
  - If there was a tag previously → it is removed with the next scan job
failure - When a scan concludes with partial results:
- A message alerting to the partial results is included in the check description. When possible, the message will also include detailed information and error logs on the cause of the partial results.
- Partial result details include warning and error messages in the check run.
- Check run fails only on error messages, not on warnings.
- A project tag "scanError" includes only error-level package managers.
failOnWarning - When a scan concludes with partial results:
- Partial result details include warning and error messages in the check run.
- Check run fails on both warning and error messages.
- A project tag "scanError" lists package managers with warnings or errors.

Note: For strictMode to work, the vulnerableCheckRunConclusionLevel and licenseCheckRunConclusionLevel parameters must be set to failure or not used.

strictModeInfo

Boolean

Optional. Default Value: false. Controls the inclusion of INFO logs in the Scan Details report.

When set to true, this allows info-level messages in all strict modes except none.

Viewing the results

The results are displayed in the Security Check description grouped by the package manager. Within every package manager either by projects (where each project is represented by a separate manifest file) or by the host path of the used private registry.

For each project, details about the different stages are displayed, including errors, warnings, and info.

Example of the report:

Reference

Examples of Issues Covered

Issue Name	Description
STAGE_FAILURE	Failure to perform the stage.
EXCEPTION	An exception occurred during the stage operation.
GENERAL_API	Failure while connecting to the private registry host server.
HTTP_SERVER	Failure while connecting to the private registry host server, private registry returned a server error.
HTTP_BAD_REQUEST	Failure while connecting to the private registry host server, private registry returned 400 - Bad Request.
HTTP_NOT_FOUND	Failure while connecting to the private registry host server, private registry returned 404 - Not Found.
HTTP_FORBIDDEN	Failure while connecting to the private registry host server, private registry returned 403 - Forbidden.
HTTP_UNAUTHORIZED	Failure while connecting to the private registry host server, private registry returned 401 - Unauthorized.
UNSUPPORTED_REG	Failure to perform connectivity check, private registries include unsupported providers.
UNSET_REG	Failure to set private registries due to an issue with the configuration provided by the user.
FILE_SYSTEM	Failure to perform the %s operation due to a file system error.
FILE_NOT_FOUND	Failure to perform the %s operation due to a missing file.
FILE_PERMISSION	Failure to perform the %s operation due to missing permissions to a file.
FILE_PARSING	Failure to perform the %s operation due to an issue parsing a file.
MISSING_BIN	The %s operation failed due to a required binary that was not found.
CMD_EXECUTE	Failed to execute one or more of the %s operation commands.
CMD_TIMEOUT	The %s did not complete due to the operation command time-out.
INSTALL	The %s did not complete due to an installation issue.
MISSING_DEPS	Scan failed, some dependencies are missing from the project.
TREE_BUILD	Failed to build the dependency tree.
MISSING_COMPONENT	The %s operation failed due to a component used in the %s operation that was not found.
FALLBACK_USED	Fallback was used in the %s operation, results may be incomplete.
INVALID_FILE	The %s operation failed due to an invalid file.
UNSUPPORTED_CONFIGURATION	The %s operation failed due to an unsupported configuration that was provided.