View the results of your Mend CLI SCA scan

Overview

Once your Mend CLI SCA scan is completed, there are multiple resources provided to help you review, analyze, and triage your results. The following Mend CLI SCA result sections are covered in this article:

Mend CLI SCA results - Console

The Mend CLI SCA scan outputs a summary of the detected malicious packages, security vulnerabilities, and the structure of the dependency tree for your application:

Malicious packages

Malicious packages and their data identified by the Mend CLI are displayed in an easy-to-read table:

Field	Description
`Severity`	The severity of the malicious vulnerability. The available values are: `Critical` `High` `Medium` `Low`
`Library`	The name of the library affected by the malicious vulnerability
`ID`	The MSC ID associated with the identified malicious vulnerability.
`Top Fix`	Mend’s recommended fix to confront the malicious vulnerability.

CVE vulnerabilities

The discovered CVE vulnerabilities are displayed in a visual table, providing the vitals you need to triage these findings:

Field	Description
`Severity`	The severity of the vulnerability. The available values are: `Critical` - CVSS 3 score of 9.0 - 10.0 `High` - CVSS 3 score of 7.0-8.9 `Medium` - CVSS 3 score of 4.0-6.9 `Low` - CVSS 3 score of 0.1-3.9
`Library`	The name of the library.
`ID`	The CVE ID associated with the identified vulnerability.
`Top Fix`	Mend’s recommended fix to remediate the CVE vulnerability. Tip: Visit our Vulnerability Database to research more info on a CVE.

Automation Workflow Violations

If the Mend CLI scan scope falls under your workflow created in the Mend Platform Application, the Mend CLI will print out any violations found in the terminal. The information will be separated into 2 tables, as you can see in the following example:

CODE

+------------------------+----------------------------+------------+----------------------------------------+
| FINDING                | ORIGIN                     | VIOLATIONS | WORKFLOWS                              |
-------------------------+----------------------------+------------+----------------------------------------+
| CVE-2022-42889         | hsqldb-2.5.2.jar           | 2          | Critical vulnerability, CVE-2022-42889 |
+------------------------+--------------------------- +------------+----------------------------------------+
| CVE-2021-42890         | snakeyaml-1.30.jar         | 1          | Critical vulnerability                 |
+------------------------+----------------------------+------------+----------------------------------------+
| LGPL 2.1               | commons-text-1.9.jar       | 1          | GPL license                            |
+------------------------+----------------------------+------------+----------------------------------------+

Violations were created by the following workflows
+-------------------------------------------------------------------+
| WORKFLOW NAME            | CONDITIONS                             |
---------------------------+----------------------------------------+
| Critical vulnerability   | Vulnerability Severity Equals Critical |
+--------------------------+----------------------------------------+
| CVE-2022-42889           | Vulnerability ID Equals CVE-2022-42889 |
+--------------------------+----------------------------------------+
| LGPL 2.1                 | Licenses Match LGPL 2.1                |
+--------------------------+----------------------------------------+

The Automation Workflow Tables

The Violations Table

CODE

+------------------------+----------------------------+------------+----------------------------------------+
| FINDING                | ORIGIN                     | VIOLATIONS | WORKFLOWS                              |
-------------------------+----------------------------+------------+----------------------------------------+
| CVE-2022-42889         | hsqldb-2.5.2.jar           | 2          | Critical vulnerability, CVE-2022-42889 |
+------------------------+--------------------------- +------------+----------------------------------------+
| CVE-2021-42890         | snakeyaml-1.30.jar         | 1          | Critical vulnerability                 |
+------------------------+----------------------------+------------+----------------------------------------+
| LGPL 2.1               | commons-text-1.9.jar       | 1          | GPL license                            |
+------------------------+----------------------------+------------+----------------------------------------+

The table lists the top 50 violated findings created following the scan.
The table will include the following columns:
- Finding - the CVE
- Origin - the library
- Violations - the number of violations created following the finding
- Workflows - the names of the workflows which triggered the violation

The Violated Workflows Table

The table lists all the workflows that triggered violations.

Note: The table will not appear if no violations occurred.

Field

Description

Workflow

The name of the workflow condition that violated the policy.

Conditions

The type of condition that was violated. The available values are:

Condition	Details
`EPSS Score`	Set the EPSS Score rating criteria that will trigger the workflow action. The supported syntax is a decimal number from 0 - 1. For example: `0.4`.
`Is Malicious Package`	The workflow action will be triggered if a malicious package is detected (or not). You can set the workflow trigger values to either `True` or `False`.
`Library Name`	The workflow action will be triggered if a library name matching the defined criteria is detected.
`Licenses`	The workflow action will be triggered if a specific License Name is found (or not). You can set the workflow trigger values to either `In`, `Is Empty`, `Match`, `Not In` or `No Match` and select license name(s) from the dropdown list.
`Vulnerability ID`	The workflow action will be triggered if a specific Vulnerability Id is found (or not). You can set the workflow trigger values to either `Equals` or `Not Equals`.
`Vulnerability Reachable`	The workflow action will be triggered if a Reachable Vulnerability is found (or not). You can set the workflow trigger values to either `True`, `False`, or `Unknown`.
`Vulnerability Score`	Set the Vulnerability Score rating criteria that will trigger the workflow action. The supported syntax is a decimal number from 0 - 10. For example: `5.4`
`Vulnerability Severity`	The workflow action will be triggered if a Vulnerability Severity equals (or not) . You can set the workflow trigger values to either `Unknown`,`Low`, `Medium`, `High`, or `Critical`.

Note: For more information on these workflow types, check out our Workflow configuration parameters documentation.

Paths at risk

The “Paths at risk” provides a visual hierarchy of the dependency paths within your project that are affected by a policy violation (P), malicious vulnerability (MSC), or a CVE vulnerability:

Mend CLI SCA results - Mend Application

Note: By default, the Mend CLI SCA results are not automatically uploaded to the Mend Application. To enable this functionality, use the -u (also --update) parameter.

Within the Mend Application, you can review each Mend CLI scan’s summary, details, and more. For more information on how to navigate the Mend Platform, visit our Analyze your results in the Mend Application documentation:

Mend CLI SCA Logs

At the end of the Mend CLI SCA scan, there is a Support token that can be provided to Mend Support and is extremely helpful for troubleshooting purposes.

The Mend CLI stores SCA scan logs in the .mend/logs/sca directory.

[data-colorid=u9q7zouzg2]{color:#ff5630} html[data-color-mode=dark] [data-colorid=u9q7zouzg2]{color:#cf2600}[data-colorid=dclm4ag4kt]{color:#ff5630} html[data-color-mode=dark] [data-colorid=dclm4ag4kt]{color:#cf2600}Overview