Comparing Scans Between the Unified Agent and CLI
To compare results between the Unified Agent and the Mend CLI it is recommended to use the following settings when scanning an application.
Dependency Scan
Ensure the application is built before scanning with each tool as the CLI does not have presteps so these will not be enabled with the Unified Agent configuration.
Mend CLI
export MEND_URL=https://saas.mend.io
export MEND_EMAIL=your-user-email
export MEND_USER_KEY=your-userkey
mend dep -u -r -s your-org//your-product(application)//your-project --strict Unified Agent
export WS_APIKEY=your-apikey
export WS_USERKEY=your-userkey
export WS_PRODUCTNAME=your-product(application)
export WS_PROJECTNAME=your-project
export WS_WSS_URL=https://saas.mend.io/agent
export WS_GENERATESCANREPORT=true
export WS_FAILERRORLEVEL=ALL
export WS_FILESYSTEMSCAN=false
export WS_RESOLVEALLDEPENDENCIES=false
export WS_MAVEN_RESOLVEDEPENDENCIES=true
export WS_MAVEN_AGGREGATEMODULES=true
export WS_GRADLE_RESOLVEDEPENDENCIES=true
export WS_GRADLE_AGGREGATEMODULES=true
export WS_NPM_RESOLVEDEPENDENCIES=true
export WS_NUGET_RESOLVEDEPENDENCIES=true
export WS_PYTHON_RESOLVEDEPENDENCIES=true
export WS_GO_MODULES_RESOLVEDEPENDENCIES=true
export WS_SBT_RESOLVEDEPENDENCIES=true
export WS_PHP_RESOLVEDEPENDENCIES=true
export WS_RUBY_RESOLVEDEPENDENCIES=true
export WS_SWIFT_RESOLVEDEPENDENCIES=true
java -jar ./wss-unified-agent.jarThe reason for each parameter selected for the Unified Agent scan is explained below
generateScanReport=trueis used to receive results output from the UA, the CLI presents this in a table automaticallyfileSystemScan=false- disables source file and binary match detection as the CLI only has source file matching with--extendedor-e. If attempting to compare -e to fileSystemScan, please refer Unified Agent - Binary Matching to disable Binary MatchingresolveAllDependencies=false- disables all package manager resolvers so that only CLI equivalent can be used as listed below
maven.resolveDependencies=true
gradle.resolveDependencies=true
npm.resolveDependencies=true
nuget.resolveDependencies=true
python.resolveDependencies=true
go.modules.resolveDependencies=true
sbt.resolveDependencies=true
php.resolveDependencies=true
ruby.resolveDependencies=true
swift.resolveDependencies=true
maven.aggregateModules=true&gradle.aggregateModules=true- the CLI aggregates all modules by defaultfailerrorlevel=allis equivalent to--strict
Equivalent General Commands
The information below explains configuration parameters in the Unified Agent and their equivalent for the CLI.
checkPolicies=true&forceCheckAllDependencies=true- works the same as--fail-policyAdding
updateInventory=trueis equivalent to--updateor-ugenerateScanReport=trueprovides json output similiar to--export-results
There are no commands for the CLI that compare to the following Unified Agent parameters
projectTag- Only works for a newly created project. It is recommended to use API calls to set project tagsprojectPerFolder,projectPerFolderIncludes,projectPerFolderExcludes- the CLI must point to individual directories using the--diror-dcommandforceCheckAllDependencies=false- this policy checks the delta in libraries on a scan vs what is recorded in the projectforceUpdate.failBuildOnPolicyViolation=true---fail-policyalways returns exit code 9updateType=APPEND- the CLI always overrides the results of a project when using-uincludes- the CLI cannot be configured to change the type of files scanned with--extendedor-escanComment- the CLI does not have the ability to add a scan commentgenerateProjectDetailsJson- the CLI outputs the project token automatically when using-u
The Unified Agent is missing the following features compared to the Mend CLI dep command
--reachability- SCA Reachability vs. Prioritize--label-appand--label-proj - the Unified Agent is unable to label applications or projects and API 3.0 must be useddefault CLI
mend depscan does not upload to the user interfaceUnified Agent should delete a project after uploading when scanning feature branches or pull requests
Image Scan
Coming Soon!!!