Mend SCA Log Overview - Repository Integration
Overview
This document will go over the different parts of a SCA scan log in order to help with navigating the information presented in the log itself. The sections are presented in the same order they will appear inside of the log file.
Every Mend SCA scan log the following sections
Pre-Scan builder
Scan Configuration
File System Scan
Pre-step and Resolve Dependencies
Summary
Reachability
If supported by the SCM and enabled
SCA_RESULTS_JSON
Pre-Scan Builder
The Pre-Scan Builder is ran prior to the repository being scanned by the Mend Unified Agent. The goal of the Pre-Scan Builder is to check connectivity to your private registry via host rules and run the package manager installation commands to prepare the repository for being scanned by the Unified Agent. Most errors with a repository scan can be found on this step. Either there was an issue with the package manager installation command or Mend could not connect to your private registry correctly. If there is an error during the Pre-Scan builder a detailed output can be found in the SCA_RESULTS_JSON section.
Pre-Scan builder output will start from the line Running Pre Scan Builder
until the line Running Unified-Agent
Scan Configuration
When starting the Unified Agent scan, Mend will display the entire configuration file in the log output. All configurations with a #
are commented out and running with the default value. The value displayed in the log file is the default value being used and are displayed for transparency.
The scanner is already configured to handle the most common use cases of all Mend Users. It is possible to override the configuration used by the scanner but not every configuration can be overridden.
File System Scan
By default, File system scanning is disabled in the repository integration. This section still appears in scan logs and will have data when html files are present.
If enabled by overriding the configuration, Mend will scan the entire repository for loose files at attempt to match them to a source library. This setting should be used for non-package managed languages. For more information on Source file Matching see: Understanding Mend’s Dependency Detection - Source File Matching
Pre-step and Resolve Dependencies
This section will only appear if Mend detected a package manifest file and show all the dependencies Mend detected in the package manifest.
DEBUG: top folders found:
DEBUG: +- /tmp/mend-scm/nodegoat
DEBUG: | +- /tmp/mend-scm/nodegoat/package.json
The output of this section will depend on the package manger being utilized by the application. For example, Maven projects will show the entire dependency tree, while NPM projects will show the packages found in the package-lock.json created in the Pre-scan Builder.
DEBUG: Resolving file: /tmp/mend-scm/nodegoat/package.json
DEBUG: NpmLockCollector - collectDependencies - Start, file:/tmp/mend-scm/nodegoat/package.json
DEBUG: parsing the package-lock.json file, found at /tmp/mend-scm/nodegoat
DEBUG: The lockfileVersion is 3. Converts dependencies from a packages object to a dependencies object
DEBUG: NpmLockCollector - updateDependencyInfo - START, y18n-3.2.2.tgz
DEBUG: NpmLockCollector - updateDependencyInfo - END, y18n-3.2.2.tgz
This section is useful to double checking Mend’s results. If it appears that Mend is not detecting a library from the Mend UI the most common issue is the library was not detected. Was the package manifest detected? If the package manifest is found, is the dependency declared in the package manifest? If the manifest is detected and the dependency is inside the Manifest, there might be a deeper issue or a configuration issue. The Mend Technical Support team can help identify potential issues or report bugs if needed.
Summary
The summary sections will display a table that shows what package manager was detected and how many dependencies were detected for that specific manager. This section is a good initial check for any potential issues with the scan. Are the amounts displayed in the summary in line with expectations? If the dependency count is too low, that might indicate an issue with the Pre-Scan Builder.
INFO: ------------------------------------------------------------------------------------------------------------------------------------------------------
INFO: ------------------------------------------------------------- WhiteSource Scan Summary: --------------------------------------------------------------
INFO: ------------------------------------------------------------------------------------------------------------------------------------------------------
INFO: ======================================================================================================================================================
INFO: Scan Origin: Local File System
INFO: ======================================================================================================================================================
INFO: Step Completion Status Elapsed Comments
INFO: ======================================================================================================================================================
INFO: Fetch Configuration COMPLETED 00:00:00.110 --------
INFO: Pre-Step And Resolve Dependencies COMPLETED 00:00:00.854 357 total dependencies (324 unique)
INFO: NPM COMPLETED 00:00:00.742 357 total dependencies (324 unique)
INFO: HTML COMPLETED 00:00:00.070 0 dependencies
INFO: Scan Files Matching Includes Pattern COMPLETED 00:00:00.040 0 source/binary files
INFO: ======================================================================================================================================================
INFO: Elapsed running time: 00:00:01.004
INFO: ======================================================================================================================================================
Reachability
If Reachability is enabled, the output of reachability will follow after the summary starting from the line Running Reachability
. This output is very detailed and add a lot of output to the log itself. This section is more for Mend to find issues with reachability if any are reported through Technical Support.
SCA_RESULTS_JSON
While not it’s own section, this line in the log file is the output of the Pre-Scan Builder. This output will show what manifests were detected by the Pre-Scan builder, if resolution was successful, and if Mend can connect to private registry. This output is the best way to begin troubleshooting issues with private registry connections.
DEBUG: [2024-12-06 20:46:49] - [CTX=6081612db75e4c40a0c66268d62ae493_e39b7865-99d1-4d90-b75b-dd9eb696305c] - - [agent=sca_wrapper, agent-version=24.11.1, state=SCA_WRAPPER_PRE_RUN] - SCA_RESULTS_JSON={"results":{"/tmp/mend-scm/testhostrules/build/build.csproj":[{"time":"2024-12-06T20:46:40.374042593Z","type":"PM","pm":"nuget-csproj","stage":"PRE_STEP","success":true,"level":"WARN","resType":"INSTALL","resMsg":"MSBUILD : error MSB1009: Project file does not exist.\nSwitch: build/build.csproj","tool":"PSB","merge":false,"extra":{}},{"time":"2024-12-06T20:46:45.686334249Z","type":"PM","pm":"nuget","stage":"RESOLUTION","success":true,"level":"INFO","resType":"SUCCESS","resMsg":"","tool":"UA","merge":false,"extra":{}}],"/tmp/mend-scm/testhostrules/src/Conduit/Conduit.csproj":[{"time":"2024-12-06T20:46:40.374028341Z","type":"PM","pm":"nuget-csproj","stage":"PRE_STEP","success":true,"level":"WARN","resType":"INSTALL","resMsg":"MSBUILD : error MSB1009: Project file does not exist.\nSwitch: src/Conduit/Conduit.csproj","tool":"PSB","merge":false,"extra":{}},{"time":"2024-12-06T20:46:44.435498051Z","type":"PM","pm":"nuget","stage":"RESOLUTION","success":true,"level":"INFO","resType":"SUCCESS","resMsg":"","tool":"UA","merge":false,"extra":{}}],"/tmp/mend-scm/testhostrules/tests/Conduit.IntegrationTests/Conduit.IntegrationTests.csproj":[{"time":"2024-12-06T20:46:40.374036609Z","type":"PM","pm":"nuget-csproj","stage":"PRE_STEP","success":true,"level":"WARN","resType":"INSTALL","resMsg":"MSBUILD : error MSB1009: Project file does not exist.\nSwitch: tests/Conduit.IntegrationTests/Conduit.IntegrationTests.csproj","tool":"PSB","merge":false,"extra":{}},{"time":"2024-12-06T20:46:45.064054752Z","type":"PM","pm":"nuget","stage":"RESOLUTION","success":true,"level":"INFO","resType":"SUCCESS","resMsg":"","tool":"UA","merge":false,"extra":{}}],"https://pkgs.dev.azure.com/MendOrg/TestProject/_packaging/newFeed/nuget/v3/index.json":[{"time":"2024-12-06T20:46:06.060236350Z","type":"PM","pm":"nuget-csproj","stage":"CONNECTIVITY","success":false,"level":"WARN","resType":"HTTP_UNAUTHORIZED","resMsg":"{\"$id\":\"1\",\"customProperties\":{\"Descriptor\":null,\"IdentityDisplayName\":null,\"Token\":null,\"RequestedPermissions\":0,\"NamespaceId\":\"00000000-0000-0000-0000-000000000000\"},\"innerException\":null,\"message\":\"Access Denied: The Personal Access Token used has expired.\",\"typeName\":\"Microsoft.VisualStudio.Services.Security.AccessCheckException, Microsoft.VisualStudio.Services.WebApi\",\"typeKey\":\"AccessC...","tool":"PSB","merge":false,"extra":{}}]},"tags":{"nuget-csproj":["HOST_RULES"]},"totalSuccess":{"RESOLUTION":3},"totalFail":{"CONNECTIVITY":1,"PRE_STEP":3}}