Skip to main content
Skip table of contents

SCA Reachability in the Mend CLI

Note:

  1. To run SCA Reachability, make sure to use Mend CLI version 24.3.1 or higher

  2. Reachability for Python is not supported in organizations hosted on dedicated instances

Overview

The Mend Reachability tool helps you assess the effectiveness of security vulnerabilities associated with open-source components, to prioritize fixing those vulnerabilities. 

We want to reduce developers' security burden by utilizing Mend.io’s innovative differentiation - reachability analysis - easily, as part of the Mend CLI. This will enable developers to focus on fixing the reachable vulnerabilities in their project.

In the real world, a medium but reachable vulnerability might be prioritized higher by developers than a critical but unreachable vulnerability.

This article will explain about Mend.io’s Reachability technology in the CLI and how to use it.

If you’re an SCA user tasked with fixing vulnerabilities detected in your projects or creating tasks for others to fix them, this article is for you.

Getting it done

Prerequisites before getting started with SCA Reachability

  • A successfully built Java/JavaScript/Python project using one of the supported package managers.
    Note that Reachability relies on the existence of the following elements in the scan directory:

    1. Source code files (e.g., .java, .js, .py).

    2. Manifest files (e.g., pom.xml, package.json, requirements.txt).

  • Mend CLI available on your machine.

Scanning in the CLI

Use case for Reachability

A normal Java/JS/Python project scan includes a “reachability scan” step. This means that the scan may take longer. In the end, the project scan results will be enriched with reachability information - the scan report will include a textual indication of whether the listed vulnerability is reachable or not.

Configure Reachability

To enable reachability analysis as part of the Mend CLI scan, specify --reachability (short version: -r) in your scan command.

Examples:

mend sca -d [path/to/project] --reachability -u

mend sca -d [path/to/project] -r -u

NOTE: As soon as the scan starts, a disclaimer will be displayed in the interactive CLI screen, denoting that Reachability is enabled:

image-20240327-104119.png

Note that scanning a Java multi-module project or a multi-language JavaScript project does not require any additional configuration for Reachability.

Viewing Reachability Results following a CLI scan

There are essentially 3 options for viewing the Reachability analysis results:

  1. By default, results will be displayed in the terminal when running the CLI with the reachability flags

  2. You can also export the analysis results to a text file (.txt/.json)

  3. You can review the results in the web application UI (Core Application / Mend Platform)

Results in the terminal (interactive mode)

This is only supported for Java. Therefore, if SCA Reachability is enabled and additional languages are scanned, the following will appear at the top of the results section:

image-20240117-082616.png

At the top of the terminal results, the following summary line will appear:

image-20240117-082952.png

Below that, the Reachability column will be added to the Findings table.

Findings table with Reachability enabled

The findings will be displayed in the following order:

  1. Reachable, in order of severity, followed by:

  2. Unreachable, in order of severity

If there is no data regarding the reachability of a vulnerability, no information will be displayed in the reachability column, like so:

image-20240321-084147.png

Exporting your scan results

The --export-results CLI parameter allows you to export the results to a text file (or multiple text files), in either .txt or .json format. The parameter should be complemented with the desired filenames.

--export-results [text/file/location]

Example:

mend sca -d [path/to/project] --reachability -u --export-results c:\output.txt,c:\output.json

In this example, the results will be stored in 2 text files: output.txt and output.json

To see the reachability shields in the web application, use the -u flag to update the application:

CODE
-u

NOTE: These configurations are not unique to the Reachability functionality; this is a general configuration for the Mend CLI.

Results in the .text file

If results are exported to .txt format, the CLI will export the table mentioned above to a text file.

Results in the .json file

If results are exported to .json format, the CLI will export the information regarding the findings, including the reachability information for each finding, to a .json file.

The information will be added in the following format for each finding:

CODE
"reachability": "REACHABLE"
"reachability": "UNREACHABLE"

For example:

image-20240321-125031.png

Viewing results in the Core Application UI

Kindly refer to the following article for learning about this topic.

Reference

Mend Reachability - supported languages

The following languages and their package managers are supported for scanning dependencies with Mend Reachability.

Language

Package Manager

Details

Java

Gradle

Configuration file(s): build.gradle, settings.gradle

Java

Maven

Configuration file(s): settings.xml

JavaScript

NPM

Configuration file(s): package.json

JavaScript

Yarn

Configuration file(s): package.json

Python

pip

Configuration file(s): requirements.txt

Python

Pipenv

Configuration file(s): Pipfile & Pipfile.lock

Mend Reachability - tested environments

The following operating systems were tested for scanning dependencies for reachability with Mend CLI.

OS

Version

MacOS

12

Ubuntu

22.04

Windows Server

2022

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.