Breadcrumbs

SCA Reachability - Technical Requirements & Limitations

Note: You can scan a multi-language project with no additional configuration.

Supported Scanners and Integrations

Mend CLI

Environments

SCA Reachability is also supported in self-contained mode.

The following operating systems were tested for Reachability analysis with the Mend CLI:

OS

Version

MacOS

12

Ubuntu

22.04

Windows Server

2022

Classic Repo Integrations

Environments

  • Supported repository integrations: GitHub.com, GitHub Enterprise, GitLab (starting from 25.10.1.2).

  • enableReachability configuration flag set to true in the scanSettings portion of the .whitesource file.

Limitations

  • Regular scan completes without partial results errors.

Developer Platform

Azure Repos | Bitbucket Cloud | GitHub.com

Language Support

Java

Environments

  • Java source files (up to JDK 17) with supported extension (.java).

  • Maven and Gradle build projects.

Improvements

  • Out-of-the-box support for multi-module projects, no need to run additional tools (e.g. xModuleAnalyzer).

  • No need to compile project to generate byte code, only sources directory and full dependency resolution are required.

  • Reflection support for java.util.ServiceLoader.

Limitations

  • The following dependency scopes are not analyzed:

    • provided

    • test

  • Reflection support is limited to the following types:

    • java.util.ServiceLoader

  • Dependency Injection support is limited to the following types:

    • org.springframework.beans.factory.annotation.Autowired

    • com.google.inject.Inject

    • javax.inject.Inject

JavaScript

Requirements

  • JavaScript/TypeScript source files with supported extensions (.js, .ts, .jsx, .tsx).

  • Successfully built NPM and Yarn projects (using the ‘npm install'/'yarn install' command).

Improvements

  • The user’s package.json file does not need to contain a “main” entry file path to a valid index.js file anymore, as was the case in the previous version of Prioritize.

Limitations

  • Reflection is not yet supported for JavaScript Reachability.

Python

Requirements

  • Python source files with the supported extension (.py).

  • A successfully built project using one of the supported package managers.

Limitations

  • Conda projects are not supported

  • Poetry projects are only supported in the GitHub repo integrations from v24.10.3.

.NET

Environments:

  • C# source files with supported extension (.cs).

  • NuGet projects are supported.

Limitations:

  • DLL binaries detected with file system scans are not supported.

Conan

Requirements

Reachability requires the dependency source files of package_type: "static-library" to be available during the analysis.
It is recommended to have them cached in the CLI pipeline prior to the Reachability scan. The CLI will attempt to download un-cached source files, resulting in potentially longer scan times and higher hardware resource utilization.

Environments:

  • C and C++ source files with supported extensions (.c, .h, .cpp)

Limitations:

  • Sources of each Conan package must be available for download, in both public and private repositories.

Supported Languages Table

Language (Package Manager)

Package Manager Versions

Language
Versions

Reachability Supported

Exclusion
CLI Env Var

Repo Integration Parameter

C/C++ (Conan)

Conan 2.12+


✔️

MEND_SCA_CONAN_RESOLVEDEPENDENCIES

conan.resolveDependencies

C# (.NET)

N/A

.NET 5.0.x, 6.0.x, 7.0.x, 8.0.x, 9.0.x, 10.0.x

✔️

MEND_SCA_NUGET_CSPROJ_RESOLVEDEPENDENCIES / WS_NUGET_RESOLVEDEPENDENCIES

nuget.resolveDependencies

C# (.NET Framework)

N/A

.NET 4.8

X

MEND_SCA_NUGET_CSPROJ_RESOLVEDEPENDENCIES / WS_NUGET_RESOLVEDEPENDENCIES

nuget.resolveDependencies

Go

Modules

Golang 1.14.x, 1.15.x, 1.16.x, 1.17.x, 1.18.x, 1.19.x, 1.20.x, 1.21.x, 1.22.x, 1.23.x

X

MEND_SCA_GO_RESOLVEDEPENDENCIES / WS_GO_MODULES_RESOLVEDEPENDENCIES

go.modules.resolveDependencies

Java (Maven)

Maven 3.2.5, 3.3.x, 3.5.x, 3.6.x, 3.8.x, 3.9.x

Java 8.x, 11.x, 17.x, 21.x

✔️

MEND_SCA_MAVEN_RESOLVEDEPENDENCIES / WS_MAVEN_RESOLVEDEPENDENCIES

maven.resolveDependencies

Java (Gradle)

  • Gradle 6.x, 7.x, 8.x

  • Gradle 9.x

  • Java 8.x, 11.x, 17.x, 21.x

  • Java 17.x, 21.x

✔️

MEND_SCA_GRADLE_RESOLVEDEPENDENCIES / WS_GRADLE_RESOLVEDEPENDENCIES

gradle.resolveDependencies

Java (sbt)

SBT 1.8

Java 8.x, 11.x, 17.x, 21.x

X

MEND_SCA_SBT_RESOLVEDEPENDENCIES /WS_SBT_RESOLVEDEPENDENCIES

sbt.resolveDependencies

JavaScript (Bower)

Bower 1.8.x

Node.js 18.x

X

N/A

bower.resolveDependencies

JavaScript (npm)

  • npm 6.x, 7.x, 8.x, 9.x, 10.x, 11.x

  • npm 8.x, 9.x, 10.x, 11.x

  • Node.js 18.x

  • Node.js 20.x, 22.x, 24.x

✔️

MEND_SCA_NPM_RESOLVEDEPENDENCIES / WS_NPM_RESOLVEDEPENDENCIES

npm.resolveDependencies

JavaScript (Yarn)

  • yarn 1.x

  • yarn 2.x, 3.x

  • yarn 4.x

  • Node.js 16.x, 18.x, 20.x

  • Node.js 16.x, 18.x, 20.x, 22.x, 24.x

  • Node.js 16.x, 18.x, 20.x, 22.x, 24.x

✔️

MEND_SCA_YARN_RESOLVEDEPENDENCIES / WS_NPM_RESOLVEDEPENDENCIES

npm.resolveDependencies

PHP (Composer)

composer 2.2.x, 2.3.x, 2.4.x, 2.5.x, 2.6.x

PHP 7.x, 8.x

X

MEND_SCA_PHP_RESOLVEDEPENDENCIES / WS_PHP_RESOLVEDEPENDENCIES

php.resolveDependencies

Python (conda)

2023.x, 2024.x

Python 3.x

✔️

N/A

conda.resolveDependencies

Python (pip)

pip 20.x, 21.x, 22.x, 23.x

Python 3.x

✔️

MEND_SCA_PIP_RESOLVEDEPENDENCIES /
WS_PYTHON_RESOLVEDEPENDENCIES

python.resolveDependencies

Python (uv)

All versions

*Versions older than 0.4.3.0 are not supported in repository integrations

Python 3.x

✔️

MEND_SCA_UV_RESOLVEDEPENDENCIES

uv.resolveDependencies

Ruby (Bundler)

Bundler 2.2.x, 2.3.x, 2.4.x

Ruby 2.x, 3.x

X

MEND_SCA_RUBY_RESOLVEDEPENDENCIES / WS_RUBY_RESOLVEDEPENDENCIES

ruby.resolveDependencies

Scala (sbt)

SBT 1.4.x, 1.5.x, 1.7.x, 1.8.x, 1.9.x, 1.10.x

Scala 2.13.x, 3.3.x, 3.5.x

X

MEND_SCA_SBT_RESOLVEDEPENDENCIES /WS_SBT_RESOLVEDEPENDENCIES

sbt.resolveDependencies

Swift (SwiftPM)

SwiftPM 5.8.x, 5.9.x, 6.0.x

N/A

X

MEND_SCA_SWIFT_RESOLVEDEPENDENCIES /WS_SWIFT_RESOLVEDEPENDENCIES

swift.resolveDependencies

Swift & Objective C (CocoaPods)

  • Cocoapods 1.10.x

  • Cocoapods 1.11.x

  • Cocoapods 1.12.x

  • Swift 5.7.x

  • Swift 5.3.x, 5.9.x, 6.0.x

  • Swift 5.3.x, 5.5.x, 5.9.x, 6.0.x

X

N/A

cocoapods.resolveDependencies

Package Managers Resolved by the Unified Agent

Note: The package managers in this table are resolved using the Unified Agent, which is wrapped within the Mend CLI.

Language (Package Manager)

Package Manager Versions

Language
Versions

Reachability Supported

Exclusion
CLI Env Var

Repo Integration Parameter

HTML

N/A

N/A

X

N/A

html.resolveDependencies

JavaScript (Bower)

Bower 1.8.x

Node.js 18.x

X

N/A

N/A

JavaScript (pnpm)

  • pnpm 6.x, 7.x, 8.x, 9.x, 10.x

  • pnpm 8.x, 9.x, 10.x

  • Node.js 18.x

  • Node.js 20.x, 22.x, 24.x

✔️

N/A

npm.resolveDependencies

Python (pipenv)

2020.11.x, 2021.5.x, 2022.1.x, 2023.6.x, 2023.7.x

Python 3.x

✔️

N/A

python.resolveDependencies

Python (Poetry)

poetry 1.1.x, 1.2.x, 1.3.x, 1.4.x, 1.8.x, 2.x

Python 3.x

✔️

N/A

python.resolveDependencies

R (Packrat)

packrat 0.6.x

R 3.3.x, 4.1.x, 4.2.x

X

N/A

r.resolveDependencies

Python (Conda)

2023.x, 2024.x

Python 3.x

X

N/A

N/A

Additional Languages and Package Managers

Note: All the languages and package managers listed below are resolved by the Unified Agent. Reachability is not supported for them and they cannot be excluded from the scan.

  • Bazel

  • C#/.NET (Paket)

  • Elixir/Erlang (Hex)

  • Go

    • Dep

    • Godep

    • Vndr

    • Gogradle

    • Govendor

    • Gopm

    • Glide

  • Haskell (Cabal)

  • Java (Ant)

  • JavaScript (Lerna)

  • OCaml

  • Rust (Cargo)