Reachability Results in Mend Container
Overview
The Mend Reachability tool helps you assess the effectiveness of security vulnerabilities associated with your container images, to prioritize fixing those vulnerabilities. In the real world, a medium but reachable vulnerability might be prioritized higher than a critical but unreachable vulnerability.
Mend Reachability for Container Images provides static file-based reachability analysis on Container Images, pre-production, as part of the Mend CLI-based Image scanner, to reduce security noise in container images (~60% reduction on average). It is a static analysis of container images based on an algorithm that analyzes the compiled code and configuration files in the container’s file system, and indicates which of the packages can be used at runtime and which are considered part of a “dead code”.
Prerequisites
Access to Mend Container is required.
A CLI auth to an organization in the Mend Platform that has this feature enabled is required to see results in the Mend CLI. Note that once enabled in your organization, Reachability will run as part of every scan, automatically.
* Findings from unsupported languages are displayed asUnavailablein the Reachability results. An indication will be visible in the CLI output and in the logs.
Note: To get Reachability results on Windows, you must run the Mend CLI as an administrator.
Getting it done
Reviewing Reachability results in the Mend CLI
At the end of the CLI scan, the Reachability summary will be displayed first, followed by the table of findings/packages. The summary includes the number of reachable components while the table includes the Reachability status for each package, under the Reachability column:
Note that Reachability analysis is done automatically as part of any scan you run, assuming the feature has been enabled for your Mend organization.
Note: To get Reachability results on Windows, you must run the Mend CLI as an administrator.
Reviewing the results in the Mend Platform UI
Navigate to your project’s Images → Findings to review Reachability results per CVE or Images → Packages to review the results per package.
The Reachability status for each finding/package is located under the Reachability column. Note that you can sort the items by Reachable/Unreachable, by clicking the Reachability column header.
For items that are Reachable, click anywhere on the line to spawn the finding/package details pane. Navigate to the Reachability tab to review the Reachable Path, which can help you further investigate the usage of this package:
Reference
Supported Linux-based Package Managers
Package Manager | Supported Linux Distros |
|---|---|
| Ubuntu, Debian |
| Alpine |
| RHEL, RockyLinux, SUSE, CentOS, AlmaLinux |
Supported Languages
Language | Support Status |
|---|---|
Go | ✅ |
Java | ✅ |
JS / Node.js | ✅ |
Ruby | ✅ |
C / C++ | ✅ |
Rust | ✅ |
Python | ✅ |
C# / .NET | ✅ |
PHP | ❌ |