Mend CLI - Supported Languages and Package Managers for SCA

Overview

This page lists the supported languages and package manager versions in the Mend CLI for SCA. It means that the Mend CLI is designed to resolve dependencies written in the listed language versions and managed by the listed package manager versions. Relevant open-source libraries will be scanned for security vulnerabilities and licenses.

Note: The Support Matrix may get updated from time to time as Mend.io continues to add support for newly released package manager and language versions.

Support Matrix

Language (Package Manager)	Package Manager Versions	Language Versions	Reachability Supported	Exclusion CLI Env Var	Repo Integration Parameter
C/C++ (Conan)	Conan 2.12+		✔️	MEND_SCA_CONAN_RESOLVEDEPENDENCIES	conan.resolveDependencies
C# (.NET)	N/A	.NET 5.0.x, 6.0.x, 7.0.x, 8.0.x, 9.0.x, 10.0.x	✔️	MEND_SCA_NUGET_CSPROJ_RESOLVEDEPENDENCIES / WS_NUGET_RESOLVEDEPENDENCIES	nuget.resolveDependencies
C# (.NET Framework)	N/A	.NET 4.8	X	MEND_SCA_NUGET_CSPROJ_RESOLVEDEPENDENCIES / WS_NUGET_RESOLVEDEPENDENCIES	nuget.resolveDependencies
Go	Modules	Golang 1.14.x, 1.15.x, 1.16.x, 1.17.x, 1.18.x, 1.19.x, 1.20.x, 1.21.x, 1.22.x, 1.23.x	X	MEND_SCA_GO_RESOLVEDEPENDENCIES / WS_GO_MODULES_RESOLVEDEPENDENCIES	go.modules.resolveDependencies
Java (Maven)	Maven 3.2.5, 3.3.x, 3.5.x, 3.6.x, 3.8.x, 3.9.x	Java 8.x, 11.x, 17.x, 21.x	✔️	MEND_SCA_MAVEN_RESOLVEDEPENDENCIES / WS_MAVEN_RESOLVEDEPENDENCIES	maven.resolveDependencies
Java (Gradle)	Gradle 6.x, 7.x, 8.x Gradle 9.x	Java 8.x, 11.x, 17.x, 21.x Java 17.x, 21.x	✔️	MEND_SCA_GRADLE_RESOLVEDEPENDENCIES / WS_GRADLE_RESOLVEDEPENDENCIES	gradle.resolveDependencies
Java (sbt)	SBT 1.8	Java 8.x, 11.x, 17.x, 21.x	X	MEND_SCA_SBT_RESOLVEDEPENDENCIES /WS_SBT_RESOLVEDEPENDENCIES	sbt.resolveDependencies
JavaScript (Bower)	Bower 1.8.x	Node.js 18.x	X	N/A	bower.resolveDependencies
JavaScript (npm)	npm 6.x, 7.x, 8.x, 9.x, 10.x, 11.x npm 8.x, 9.x, 10.x, 11.x	Node.js 18.x Node.js 20.x, 22.x, 24.x	✔️	MEND_SCA_NPM_RESOLVEDEPENDENCIES / WS_NPM_RESOLVEDEPENDENCIES	npm.resolveDependencies
JavaScript (Yarn)	yarn 1.x yarn 2.x, 3.x yarn 4.x	Node.js 16.x, 18.x, 20.x Node.js 16.x, 18.x, 20.x, 22.x, 24.x Node.js 16.x, 18.x, 20.x, 22.x, 24.x	✔️	MEND_SCA_YARN_RESOLVEDEPENDENCIES / WS_NPM_RESOLVEDEPENDENCIES	npm.resolveDependencies
PHP (Composer)	composer 2.2.x, 2.3.x, 2.4.x, 2.5.x, 2.6.x	PHP 7.x, 8.x	X	MEND_SCA_PHP_RESOLVEDEPENDENCIES / WS_PHP_RESOLVEDEPENDENCIES	php.resolveDependencies
Python (conda)	2023.x, 2024.x	Python 3.x	✔️	N/A	conda.resolveDependencies
Python (pip)	pip 20.x, 21.x, 22.x, 23.x	Python 3.x	✔️	MEND_SCA_PIP_RESOLVEDEPENDENCIES / WS_PYTHON_RESOLVEDEPENDENCIES	python.resolveDependencies
Python (uv)	All versions *Versions older than 0.4.3.0 are not supported in repository integrations	Python 3.x	✔️	MEND_SCA_UV_RESOLVEDEPENDENCIES	uv.resolveDependencies
Ruby (Bundler)	Bundler 2.2.x, 2.3.x, 2.4.x	Ruby 2.x, 3.x	X	MEND_SCA_RUBY_RESOLVEDEPENDENCIES / WS_RUBY_RESOLVEDEPENDENCIES	ruby.resolveDependencies
Scala (sbt)	SBT 1.4.x, 1.5.x, 1.7.x, 1.8.x, 1.9.x, 1.10.x	Scala 2.13.x, 3.3.x, 3.5.x	X	MEND_SCA_SBT_RESOLVEDEPENDENCIES /WS_SBT_RESOLVEDEPENDENCIES	sbt.resolveDependencies
Swift (SwiftPM)	SwiftPM 5.8.x, 5.9.x, 6.0.x	N/A	X	MEND_SCA_SWIFT_RESOLVEDEPENDENCIES /WS_SWIFT_RESOLVEDEPENDENCIES	swift.resolveDependencies
Swift & Objective C (CocoaPods)	Cocoapods 1.10.x Cocoapods 1.11.x Cocoapods 1.12.x	Swift 5.7.x Swift 5.3.x, 5.9.x, 6.0.x Swift 5.3.x, 5.5.x, 5.9.x, 6.0.x	X	N/A	cocoapods.resolveDependencies

Package Managers Resolved by the Unified Agent

Note: The package managers in this table are resolved using the Unified Agent, which is wrapped within the Mend CLI.

Language (Package Manager)	Package Manager Versions	Language Versions	Reachability Supported	Exclusion CLI Env Var	Repo Integration Parameter
HTML	N/A	N/A	X	N/A	html.resolveDependencies
JavaScript (pnpm)	pnpm 6.x, 7.x, 8.x, 9.x, 10.x pnpm 8.x, 9.x, 10.x	Node.js 18.x Node.js 20.x, 22.x, 24.x	✔️	N/A	npm.resolveDependencies
Python (pipenv)	2020.11.x, 2021.5.x, 2022.1.x, 2023.6.x, 2023.7.x	Python 3.x	✔️	N/A	python.resolveDependencies
Python (Poetry)	poetry 1.1.x, 1.2.x, 1.3.x, 1.4.x, 1.8.x, 2.x	Python 3.x	✔️	N/A	python.resolveDependencies
R (Packrat)	packrat 0.6.x	R 3.3.x, 4.1.x, 4.2.x	X	N/A	r.resolveDependencies

Resolver Deactivation Reference

For the Mend CLI, use the environment variable denoted in the Exclusion CLI Env Var column in the table above to exclude a specific package manager resolver from your SCA scan.
For repository integrations, use the parameter denoted in the Repo Integration Parameter column in the table above in your whitesource.config to exclude a specific resolver from your SCA scan.
To deactivate a resolver, set the value to false. If no value is provided, it defaults to true.

Note:

Env Var > Config: Environment variables override whitesource.config files.
If you previously used an environment variable that disabled a resolver in the Unified Agent and didn’t remove it when switching to the CLI, it may now also disable the resolver in the CLI.

Malicious Packages (MSC) - Supported Registries

Below is a table of registries supported for the detection of malicious packages.

Registry
npm
RubyGems
PyPi