Configure the Mend CLI for SCA

Command Line: -d, --dir

Optional. Specify the target directory for the Mend CLI SCA scan.

Current directory (“.") will be scanned.

Command Line: -e, --extended

Optional. Perform a file system scan for source files, in addition to the package manager-based dependencies resolution.

Note: The Mend CLI SCA file system scan does not support the scanning of binaries (i.e. JAR, ZIP, DLL).

Only the package manager dependency resolution is enabled.

Command Line: --no-default-exclusions

Environment Variable:
MEND_DEP_NO_DEFAULT_EXCLUSIONS

Optional. Disable the Mend pre-defined folder exclusions, allowing these folders to be included in the Mend CLI SCA scan.

Mend pre-defined folder exclusions:
.git, test, tests, example, examples, doc, docs, packages, site-packages

Environment Variable: MEND_SCA_PATH_EXCLUSIONS

Optional. Define directories to be excluded from the Mend CLI scan via a comma-separated list using glob format. These directories will append the default exclusions (unless --no-default-exclusions is in use).

Note: Using this variable will append the default exclusions. The default exclusions remain in effect unless --no-default-exclusions is used.

No additional folders are excluded except for the default exclusions.

Command Line: --strict

Optional. Fail the Mend CLI SCA command if any resolution step fails.

Scan will complete regardless of the resolution steps' success.

Command Line: --reachability
Environment Variable: MEND_SCA_REACHABILITY

(Beta) Optional. Compute reachability for each CVE. Reachability will be computed for supported programming languages only. The scan may take longer.

No reachability scan will be performed. Minimal CLI version: 24.3.1

Environment Variable: MEND_LOG_LEVEL

Optional. Define the verbosity of the Mend CLI SCA scan log files. The available values are:

• INFO - Includes basic scan behavior.

• DEBUG - Includes verbose information that is needed for diagnosing issues.

• WARNING - Includes unexpected behaviors that happened during the CLI scan, but it was still able to complete successfully.

• ERROR - Includes information on CLI functionalities that are not working and are preventing it from working properly.

Note:

• SCA Log files are only generated when a scan error occurs for the CLI SCA solution.

• The MEND_LOG_LEVEL variable only impacts the generated log file and does not affect the terminal output of the CLI.

• For troubleshooting, we recommend setting the MEND_LOG_LEVEL to DEBUG as it provides the most log verbosity.

The Mend CLI log files are set to the INFO log-level value.

Command Line: --format

Optional. Set the scan result format within the terminal. The supported formats are:

• text - Output Mend CLI results within the terminal using formatted tables and lists.

• json - Output Mend CLI results within the terminal using JSON syntax.

Mend CLI outputs scan results within the terminal in text format.

Command Line: -h, --help

Optional. Display the available parameters for the mend dep|dependencies command.

Use this parameter on-demand to display the available parameters for the mend sca command.

Command Line: --non-interactive

Optional. Mend CLI will run in non-interactive mode, suppressing use of colors, progress bar and any other graphic features in STDOUT.

Mend CLI output to STDOUT includes use of colors and progress bars, which are irrelevant in non-interactive session and may cause issues in some environments.

Command Line: -s, --scope

Optional. Set the scan scope for your project by specifying the hierarchy for the Mend Platform. The --scope of the scan is only applicable when also including the --update parameter.

The supported formats are:

• Full hierarchy: -s "ORG//APP//PROJ"

• Partial hierarchy: -s "PROD//PROJ"

• Single hierarchy: -s "PROJ"

Examples of --scope configuration:

• Application-Project scope with single quotes:

  CODE

  mend dep -s 'MyApp//MyProj' -u

• Org-Application-Project scope with double quotes:

  CODE

  mend dep -s "My Org//My App//My Proj" -u

The wild card character “*” can be used for any of the hierarchy levels. The default Mend CLI behavior will be used for any “*”.

• Application-Project scope using “*”:

mend dep -s '*//MyProj' -u

“CLI” will be the application used or created in place of the “*”.

• Org-Application-Project scope using “*”:

mend dep -s "*//My App//*" -u

The organization currently logged into from the mend auth login command setup will be used for the first “*” and for the second “*”, the project will be created and named after either:

• The folder specified in the --dir command.

• If --dir is not specified, the name will be the directory where the Mend CLI ran from.

For Mend CLI scans that do not update the Mend Platform, the --scope parameter is still used to direct the Mend CLI on the scope to use for the policy check.

Note:

• Make sure to set the --scope value within either single or double quotes ('My Project' or “My Project").

• You are able to set the Org scope to any Mend organization that the current user signed in as (via mend auth login) has access to.

• If you set an application or project name in --scope that does not exist in the organization prior to the run, it will be created in the Mend Platform after the Mend CLI completes the scan if you have the necessary permissions/role.

Within the Mend Platform, scans are tiered under an organization → application → project hierarchy.

If --scope is not set, the scan results will be sent and categorized within the Mend Platform as follows:

• The organization currently logged into from the mend auth login command setup.

• An application will be created and named “CLI".

• A project will be created and named after either:

  • The folder specified in the --dir command.

  • If --dir is not specified, the name will be the directory where the Mend CLI ran from.

Command Line: -u, --update

Optional. Update the inventory of the project within the Mend Platform.

Scan results are not sent to the Mend Platform.

Command Line: --label-proj <label>

Optional. Add a Mend Platform project label to the scanned project. Set of comma-separated labels is also supported.

Note:

• Label will be assigned only when --update flag is used.

No label applied

Command Line: --label-app <label>

Optional. Add a Mend Platform application label to the scanned application. Set of comma-separated labels is also supported.

Note:

• Label will be assigned only when --update flag is used.

No label applied

C#

NuGet

Prerequisites:

• Build your C# project prior to the Mend CLI scan using either the nuget install or dotnet build commands.

Supported dependency file(s): One of the following sets:

• .csproj and project.assets.json

• .csproj and packages.config and packages.lock.json

• packages.config and packages.lock.json

Notes:

• By default, the Mend CLI filters out System Packages for NuGet projects. As a result, these packages will not appear in the scan results. 

• Consider using the Mend Unified Agent, which provides an option to include System Packages in the scan for NuGet projects. For more information please refer to our Getting Started with the Unified Agent article. 

Go

Go Modules

Prerequisites:

• Go Modules must be installed locally where the Mend CLI will run.

Supported dependency file(s): go.mod

Java

Gradle

Prerequisites:

• Build your Java project prior to the Mend CLI scan using the gradle buildcommand.

• Gradle can either be installed locally or called using wrapper (gradlew) on the machine where the Mend CLI will run.

Supported dependency file(s): build.gradle

Specifications:

• Gradle Wrapper is supported by the Mend CLI.

Java

Maven

Prerequisites:

• Build your Java project prior to the Mend CLI scan using the mvn clean install command.

• Maven can either be installed locally or called using a wrapper (mvnw) on the machine where the Mend CLI will run.

Supported dependency file(s): pom.xml

Specifications:

• Maven Wrapper is supported by the Mend CLI.

• The test and provided dependency scopes are excluded by the Mend CLI scan.

JavaScript

NPM

Prerequisites:

• Build your JavaScript project prior to the Mend CLI scan using the npm install command to generate the corresponding lock file and/or create the node_modules folder.

Supported dependency file(s): One of the following sets:

• package.json and package-lock.json

• package.json and node_modules folder

• package.json and npm-shrinkwrap.json

Specifications:

• The Mend CLI supports both lockfileVersion 2 and 3 formats for the package-lock.json file.

• The dev dependency scope is excluded by the Mend CLI scan.

• Peer dependencies (peerDependencies) are included in the Mend CLI scan.

• An npm-shrinkwrap.json will always be parsed. If a package-lock.json file exists alongside it, only npm-shrinkwrap.json will be parsed.

JavaScript

Yarn

Prerequisites:

• Build your JavaScript project prior to the Mend CLI scan using the yarn install command to generate the corresponding lock file.

Supported dependency file(s): package.json and yarn.lock

PHP

Composer

Prerequisites:

• Build your PHP project prior to the Mend CLI scan using the composer install command to generate the corresponding lock file(s).

Supported dependency file(s): composer.json and composer.lock

Python

pip

Prerequisites:

• Build your Python project prior to the Mend CLI scan using the pip install command.

• pip must be installed locally where the Mend CLI will run.

• If your pip project uses a virtual environment, run the Mend CLI within the activated environment.

Supported dependency file(s): requirements.txt

Ruby

Bundler

Prerequisites:

• Build your Ruby project prior to the Mend CLI scan using the bundle install command to generate the corresponding lock file.

• Bundler must be installed locally where the Mend CLI will run.

Supported dependency file(s): Gemfile and Gemfile.lock

Scala

SBT

Prerequisites:

• Build your Scala project prior to the Mend CLI scan using the sbt compile command.

Supported dependency file(s): sbt files

Specifications:

• SBT 1.X is supported

• Only runtime and compile dependencies are supported

• target and project folders in the same location as .sbt files are excluded from the scan

NOTE: SBT has various known and well documented GitHub issues. Some of these issues might also affect the success and/or accuracy of the Mend SCA scan.

Swift

SPM

Prerequisites:

• Build your Swift project prior to the Mend CLI scan using the swift package resolve command to generate the corresponding lock file.

Supported dependency file(s): Package.swift

Specifications:

• The Mend CLI supports both Package.resolved 1 and 2 formats.