View your SCA Reachability Results in the Mend Platform UI
Overview
Your Reachability results can be displayed at the library level or at the vulnerability level.
Getting it done
To view your reachability results, select the project you would like to review and navigate to the Dependencies screen on the left pane (1). Select either ‘Libraries’ or ‘Findings’ (2). The Reachability status will appear under the ‘Reachable’ column (3):
Reachability Statuses
Reachable - Means that the vulnerability or vulnerable library is reachable. Such vulnerabilities will usually be prioritized over unreachable vulnerabilities as they pose a greater risk.
Unreachable - Means that the vulnerability or vulnerable library cannot be reached and can therefore be lowered in priority.
Potentially Reachable - Means that there is not enough information to determine whether the vulnerability is reachable or unreachable. Note that this status only applies for legacy Prioritize scans and is equivalent to a yellow shield in the Legacy SCA application.
Reachability Unavailable (Blank) - Unsupported language.
Information about reachable vulnerabilities
Clicking the ‘Reachable’ button in the finding’s Reachability column will spawn the Finding Details pane on the right side of the screen. This screen contains, on top of the usual vulnerability-related information, a new tab called Traces.
Traces
The Traces tab displays the full path leading from the application (the source) to the vulnerable component, the target reachable element.
Note that each vulnerable component will have its own trace, so theoretically there could be multiple traces, depending on the number of reachable elements uncovered (1 reachable element --> 1 trace).
There can be more than one location in your code that can trace to a vulnerable component; only one of them will have its trace displayed (multiple traces to 1 reachable element → 1 trace).
Each trace in the Traces screen can be expanded, to reveal the entire chain of classes leading from the application to the vulnerable component.
Supported Languages
The following languages and their package managers are supported for scanning dependencies with Mend Reachability:
Language | Package Manager | Details |
|---|---|---|
Java | Gradle | Configuration file(s): build.gradle, settings.gradle |
Java | Maven | Configuration file(s): pom.xml, settings.xml |
JavaScript | npm | Configuration file(s): package.json, package-lock.json |
JavaScript | Yarn | Configuration file(s): package.json, yarn.lock |
Python | pip | Configuration file(s): requirements.txt |
Python | Pipenv | Configuration file(s): Pipfile & Pipfile.lock |
Python | Poetry | Configuration file(s): pyproject.toml, poetry.lock |