SCA Reachability - Technical Requirements & Limitations
Note: You can scan a multi-language project with no additional configuration.
Supported Scanners and Integrations
Mend CLI
Environments
The following operating systems were tested for Reachability analysis with the Mend CLI:
OS | Version |
|---|---|
MacOS | 12 |
Ubuntu | 22.04 |
Windows Server | 2022 |
Limitations
SCA Reachability is not supported in self-contained mode.
Classic Repo Integrations
Environments
Supported repository integrations: GitHub.com, GitHub Enterprise, GitLab (starting from 25.10.1.2).
enableReachability configuration flag set to true in the scanSettings portion of the .whitesource file.
Limitations
Regular scan completes without partial results errors.
Developer Platform
Configure SCA Reachability for Mend Developer Platform
Language Support
Java
Environments
Java source files (up to JDK 17) with supported extension (.java).
Maven and Gradle build projects.
Improvements
Out-of-the-box support for multi-module projects, no need to run additional tools (e.g. xModuleAnalyzer).
No need to compile project to generate byte code, only sources directory and full dependency resolution are required.
Reflection support for java.util.ServiceLoader.
Limitations
The following dependency scopes are not analyzed:
provided
test
Reflection support is limited to the following types:
java.util.ServiceLoader
Dependency Injection support is limited to the following types:
org.springframework.beans.factory.annotation.Autowired
com.google.inject.Inject
javax.inject.Inject
JavaScript
Requirements
JavaScript/TypeScript source files with supported extensions (.js, .ts, .jsx, .tsx).
Successfully built NPM and Yarn projects (using the ‘npm install'/'yarn install' command).
Improvements
The user’s package.json file does not need to contain a “main” entry file path to a valid index.js file anymore, as was the case in the previous version of Prioritize.
Limitations
Reflection is not yet supported for JavaScript Reachability.
Python
Requirements
Python source files with the supported extension (.py).
A successfully built project using one of the supported package managers.
Limitations
Conda projects are not supported
Poetry projects are only supported in the GitHub repo integrations from v24.10.3.
.NET
Environments:
C# source files with supported extension (.cs).
NuGet projects are supported.
Limitations:
DLL binaries detected with file system scans are not supported.
Conan
Requirements
Reachability requires the dependency source files of package_type: "static-library" to be available during the analysis.
It is recommended to have them cached in the CLI pipeline prior to the Reachability scan. The CLI will attempt to download un-cached source files, resulting in potentially longer scan times and higher hardware resource utilization.
Environments:
C and C++ source files with supported extensions (.c, .h, .cpp)
Limitations:
Sources of each Conan package must be available for download, in both public and private repositories.
Supported Languages Table
Language | Package Manager | Details |
|---|---|---|
.NET | NuGet | Configuration file(s): .nuspec, packages.config, .csproj, project.assets.json, packages.lock.json |
C, C++ | Conan | Configuration file(s): conanfile.txt, conanfile.py |
Java | Gradle | Configuration file(s): build.gradle, settings.gradle |
Java | Maven | Configuration file(s): pom.xml, settings.xml |
JavaScript | npm | Configuration file(s): package.json, package-lock.json |
JavaScript | Yarn | Configuration file(s): package.json, yarn.lock |
JavaScript | Lerna | Configuration file(s): |
JavaScript | pnpm | Configuration file(s): |
Python | Conda | Configuration file(s): |
Python | pip | Configuration file(s): requirements.txt |
Python | Pipenv | Configuration file(s): Pipfile & Pipfile.lock |
Python | Poetry | Configuration file(s): pyproject.toml, poetry.lock |
Supported versions of each language or package manager are listed here.