SCA Reachability in the Mend CLI
Note:
To run SCA Reachability, make sure to use Mend CLI version 24.3.1 or higher
Reachability for Python is not supported in organizations hosted on dedicated instances
Overview
The Mend Reachability tool helps you assess the effectiveness of security vulnerabilities associated with open-source components, to prioritize fixing those vulnerabilities.
We want to reduce developers' security burden by utilizing Mend.io’s innovative differentiation - reachability analysis - easily, as part of the Mend CLI. This will enable developers to focus on fixing the reachable vulnerabilities in their project.
In the real world, a medium but reachable vulnerability might be prioritized higher by developers than a critical but unreachable vulnerability.
This article will explain about Mend.io’s Reachability technology in the CLI and how to use it.
If you’re an SCA user tasked with fixing vulnerabilities detected in your projects or creating tasks for others to fix them, this article is for you.
Getting it done
Prerequisites before getting started with SCA Reachability
A successfully built Java/JavaScript/Python project using one of the supported package managers.
Note that Reachability relies on the existence of the following elements in the scan directory:Source code files (e.g., .java, .js, .py).
Manifest files (e.g., pom.xml, package.json, requirements.txt).
Mend CLI available on your machine.
Scanning in the CLI
Use case for Reachability
A normal Java/JS/Python project scan includes a “reachability scan” step. This means that the scan may take longer. In the end, the project scan results will be enriched with reachability information - the scan report will include a textual indication of whether the listed vulnerability is reachable or not.
Configure Reachability
To enable reachability analysis as part of the Mend CLI scan, specify --reachability
(short version: -r) in your scan command.
Examples:
mend sca -d [path/to/project] --reachability -u
mend sca -d [path/to/project] -r -u
NOTE: As soon as the scan starts, a disclaimer will be displayed in the interactive CLI screen, denoting that Reachability is enabled:
Note that scanning a Java multi-module project or a multi-language JavaScript project does not require any additional configuration for Reachability.
Viewing Reachability Results following a CLI scan
There are essentially 3 options for viewing the Reachability analysis results:
By default, results will be displayed in the terminal when running the CLI with the reachability flags
You can also export the analysis results to a text file (.txt/.json)
You can review the results in the web application UI (Core Application / Mend Platform)
Results in the terminal (interactive mode)
This is only supported for Java. Therefore, if SCA Reachability is enabled and additional languages are scanned, the following will appear at the top of the results section:
At the top of the terminal results, the following summary line will appear:
Below that, the Reachability column will be added to the Findings table.
The findings will be displayed in the following order:
Reachable, in order of severity, followed by:
Unreachable, in order of severity
If there is no data regarding the reachability of a vulnerability, no information will be displayed in the reachability column, like so:
Exporting your scan results
The --export-results CLI parameter allows you to export the results to a text file (or multiple text files), in either .txt or .json format. The parameter should be complemented with the desired filenames.
--export-results [text/file/location]
Example:
mend sca -d [path/to/project] --reachability -u --export-results c:\output.txt,c:\output.json
In this example, the results will be stored in 2 text files: output.txt and output.json
To see the reachability shields in the web application, use the -u flag to update the application:
-u
NOTE: These configurations are not unique to the Reachability functionality; this is a general configuration for the Mend CLI.
Results in the .text file
If results are exported to .txt format, the CLI will export the table mentioned above to a text file.
Results in the .json file
If results are exported to .json format, the CLI will export the information regarding the findings, including the reachability information for each finding, to a .json file.
The information will be added in the following format for each finding:
"reachability": "REACHABLE"
"reachability": "UNREACHABLE"
For example:
Viewing results in the Core Application UI
Kindly refer to the following article for learning about this topic.
Reference
Mend Reachability - supported languages
The following languages and their package managers are supported for scanning dependencies with Mend Reachability.
Language | Package Manager | Details |
---|---|---|
Java | Gradle | Configuration file(s): build.gradle, settings.gradle |
Java | Maven | Configuration file(s): settings.xml |
JavaScript | NPM | Configuration file(s): package.json |
JavaScript | Yarn | Configuration file(s): package.json |
Python | pip | Configuration file(s): requirements.txt |
Python | Pipenv | Configuration file(s): Pipfile & Pipfile.lock |
Mend Reachability - tested environments
The following operating systems were tested for scanning dependencies for reachability with Mend CLI.
OS | Version |
---|---|
MacOS | 12 |
Ubuntu | 22.04 |
Windows Server | 2022 |