View your SCA Reachability Results in the Mend Platform UI
Overview
Your Reachability results can be displayed at the library level or at the vulnerability level.
Getting it done
To view your reachability results, select the project you would like to review and navigate to the Dependencies screen on the left pane (1). Select either ‘Libraries’ or ‘Findings’ (2). The Reachability status will appear under the ‘Risk Factors’ column (3):
Reachability Statuses
Reachable - Means that the vulnerability or vulnerable library is reachable. Such vulnerabilities will usually be prioritized over unreachable vulnerabilities as they pose a greater risk. Potentially Reachable - Means that there is not enough information to determine whether the vulnerability is reachable or unreachable. Note that this status only applies for legacy Prioritize scans and is equivalent to a yellow shield in the Legacy SCA application.
Unreachable - Means that the vulnerability or vulnerable library cannot be reached and can therefore be lowered in priority.Reachability Unavailable (Blank) - Unsupported language.
Information about reachable vulnerabilities
Clicking the ‘Reachable’ button in the finding’s Reachability column will spawn the Finding Details pane on the right side of the screen. This screen contains, on top of the usual vulnerability-related information, a new tab called Traces.
Traces
The Traces tab displays the full path leading from the application (the source) to the vulnerable component, the target reachable element.
Note that each vulnerable component will have its own trace, so theoretically there could be multiple traces, depending on the number of reachable elements uncovered (1 reachable element --> 1 trace).
There can be more than one location in your code that can trace to a vulnerable component; only one of them will have its trace displayed (multiple traces to 1 reachable element → 1 trace).
Each trace in the Traces screen can be expanded, to reveal the entire chain of classes leading from the application to the vulnerable component.
Supported Languages
The Reachability Supported column in the table below indicates which languages and package managers are Reachability-supported.
Language (Package Manager) | Package Manager Versions | Language | Reachability Supported | Exclusion | Repo Integration Parameter |
|---|---|---|---|---|---|
C/C++ (Conan) | Conan 2.12+ | ✔️ | MEND_SCA_CONAN_RESOLVEDEPENDENCIES | conan.resolveDependencies | |
C# (.NET) | N/A | .NET 5.0.x, 6.0.x, 7.0.x, 8.0.x, 9.0.x, 10.0.x | ✔️ | MEND_SCA_NUGET_CSPROJ_RESOLVEDEPENDENCIES / WS_NUGET_RESOLVEDEPENDENCIES | nuget.resolveDependencies |
C# (.NET Framework) | N/A | .NET 4.8 | X | MEND_SCA_NUGET_CSPROJ_RESOLVEDEPENDENCIES / WS_NUGET_RESOLVEDEPENDENCIES | nuget.resolveDependencies |
Go | Modules | Golang 1.14.x, 1.15.x, 1.16.x, 1.17.x, 1.18.x, 1.19.x, 1.20.x, 1.21.x, 1.22.x, 1.23.x | X | MEND_SCA_GO_RESOLVEDEPENDENCIES / WS_GO_MODULES_RESOLVEDEPENDENCIES | go.modules.resolveDependencies |
Java (Maven) | Maven 3.2.5, 3.3.x, 3.5.x, 3.6.x, 3.8.x, 3.9.x | Java 8.x, 11.x, 17.x, 21.x | ✔️ | MEND_SCA_MAVEN_RESOLVEDEPENDENCIES / WS_MAVEN_RESOLVEDEPENDENCIES | maven.resolveDependencies |
Java (Gradle) |
|
| ✔️ | MEND_SCA_GRADLE_RESOLVEDEPENDENCIES / WS_GRADLE_RESOLVEDEPENDENCIES | gradle.resolveDependencies |
Java (sbt) | SBT 1.8 | Java 8.x, 11.x, 17.x, 21.x | X | MEND_SCA_SBT_RESOLVEDEPENDENCIES /WS_SBT_RESOLVEDEPENDENCIES | sbt.resolveDependencies |
JavaScript (Bower) | Bower 1.8.x | Node.js 18.x | X | N/A | bower.resolveDependencies |
JavaScript (npm) |
|
| ✔️ | MEND_SCA_NPM_RESOLVEDEPENDENCIES / WS_NPM_RESOLVEDEPENDENCIES | npm.resolveDependencies |
JavaScript (Yarn) |
|
| ✔️ | MEND_SCA_YARN_RESOLVEDEPENDENCIES / WS_NPM_RESOLVEDEPENDENCIES | npm.resolveDependencies |
PHP (Composer) | composer 2.2.x, 2.3.x, 2.4.x, 2.5.x, 2.6.x | PHP 7.x, 8.x | X | MEND_SCA_PHP_RESOLVEDEPENDENCIES / WS_PHP_RESOLVEDEPENDENCIES | php.resolveDependencies |
Python (conda) | 2023.x, 2024.x | Python 3.x | ✔️ | N/A | conda.resolveDependencies |
Python (pip) | pip 20.x, 21.x, 22.x, 23.x | Python 3.x | ✔️ | MEND_SCA_PIP_RESOLVEDEPENDENCIES / | python.resolveDependencies |
Python (uv) | All versions *Versions older than 0.4.3.0 are not supported in repository integrations | Python 3.x | ✔️ | MEND_SCA_UV_RESOLVEDEPENDENCIES | uv.resolveDependencies |
Ruby (Bundler) | Bundler 2.2.x, 2.3.x, 2.4.x | Ruby 2.x, 3.x | X | MEND_SCA_RUBY_RESOLVEDEPENDENCIES / WS_RUBY_RESOLVEDEPENDENCIES | ruby.resolveDependencies |
Scala (sbt) | SBT 1.4.x, 1.5.x, 1.7.x, 1.8.x, 1.9.x, 1.10.x | Scala 2.13.x, 3.3.x, 3.5.x | X | MEND_SCA_SBT_RESOLVEDEPENDENCIES /WS_SBT_RESOLVEDEPENDENCIES | sbt.resolveDependencies |
Swift (SwiftPM) | SwiftPM 5.8.x, 5.9.x, 6.0.x | N/A | X | MEND_SCA_SWIFT_RESOLVEDEPENDENCIES /WS_SWIFT_RESOLVEDEPENDENCIES | swift.resolveDependencies |
Swift & Objective C (CocoaPods) |
|
| X | N/A | cocoapods.resolveDependencies |
Package Managers Resolved by the Unified Agent
Note: The package managers in this table are resolved using the Unified Agent, which is wrapped within the Mend CLI.
Language (Package Manager) | Package Manager Versions | Language | Reachability Supported | Exclusion | Repo Integration Parameter |
|---|---|---|---|---|---|
HTML | N/A | N/A | X | N/A | html.resolveDependencies |
JavaScript (pnpm) |
|
| ✔️ | N/A | npm.resolveDependencies |
Python (pipenv) | 2020.11.x, 2021.5.x, 2022.1.x, 2023.6.x, 2023.7.x | Python 3.x | ✔️ | N/A | python.resolveDependencies |
Python (Poetry) | poetry 1.1.x, 1.2.x, 1.3.x, 1.4.x, 1.8.x, 2.x | Python 3.x | ✔️ | N/A | python.resolveDependencies |
R (Packrat) | packrat 0.6.x | R 3.3.x, 4.1.x, 4.2.x | X | N/A | r.resolveDependencies |