Skip to main content
Skip table of contents

Mend SCA Log Overview - Repository Integration

Overview

This document will go over the different parts of a SCA scan log in order to help with navigating the information presented in the log itself. The sections are presented in the same order they will appear inside of the log file.

Every Mend SCA scan log the following sections

  • Pre-Scan builder

  • Scan Configuration

  • File System Scan

  • Pre-step and Resolve Dependencies

  • Summary

  • Reachability

    • If supported by the SCM and enabled

  • SCA_RESULTS_JSON

Pre-Scan Builder

The Pre-Scan Builder is ran prior to the repository being scanned by the Mend Unified Agent. The goal of the Pre-Scan Builder is to check connectivity to your private registry via host rules and run the package manager installation commands to prepare the repository for being scanned by the Unified Agent. Most errors with a repository scan can be found on this step. Either there was an issue with the package manager installation command or Mend could not connect to your private registry correctly. If there is an error during the Pre-Scan builder a detailed output can be found in the SCA_RESULTS_JSON section.

Pre-Scan builder output will start from the line Running Pre Scan Builder until the line Running Unified-Agent

Scan Configuration

When starting the Unified Agent scan, Mend will display the entire configuration file in the log output. All configurations with a # are commented out and running with the default value. The value displayed in the log file is the default value being used and are displayed for transparency.

The scanner is already configured to handle the most common use cases of all Mend Users. It is possible to override the configuration used by the scanner but not every configuration can be overridden.

File System Scan

By default, File system scanning is disabled in the repository integration. This section still appears in scan logs and will have data when html files are present.

If enabled by overriding the configuration, Mend will scan the entire repository for loose files at attempt to match them to a source library. This setting should be used for non-package managed languages. For more information on Source file Matching see: Understanding Mend’s Dependency Detection - Source File Matching

Pre-step and Resolve Dependencies

This section will only appear if Mend detected a package manifest file and show all the dependencies Mend detected in the package manifest.

CODE
DEBUG:  top folders found:
DEBUG:   +- /tmp/mend-scm/nodegoat
DEBUG:  	|  +- /tmp/mend-scm/nodegoat/package.json

The output of this section will depend on the package manger being utilized by the application. For example, Maven projects will show the entire dependency tree, while NPM projects will show the packages found in the package-lock.json created in the Pre-scan Builder.

CODE
DEBUG: Resolving file: /tmp/mend-scm/nodegoat/package.json
DEBUG: NpmLockCollector - collectDependencies - Start, file:/tmp/mend-scm/nodegoat/package.json
DEBUG: parsing the package-lock.json file, found at /tmp/mend-scm/nodegoat
DEBUG: The lockfileVersion is 3. Converts dependencies from a packages object to a dependencies object
DEBUG: NpmLockCollector - updateDependencyInfo - START, y18n-3.2.2.tgz
DEBUG: NpmLockCollector - updateDependencyInfo - END, y18n-3.2.2.tgz


This section is useful to double checking Mend’s results. If it appears that Mend is not detecting a library from the Mend UI the most common issue is the library was not detected. Was the package manifest detected? If the package manifest is found, is the dependency declared in the package manifest? If the manifest is detected and the dependency is inside the Manifest, there might be a deeper issue or a configuration issue. The Mend Technical Support team can help identify potential issues or report bugs if needed.

Summary

The summary sections will display a table that shows what package manager was detected and how many dependencies were detected for that specific manager. This section is a good initial check for any potential issues with the scan. Are the amounts displayed in the summary in line with expectations? If the dependency count is too low, that might indicate an issue with the Pre-Scan Builder.

CODE
INFO: ------------------------------------------------------------------------------------------------------------------------------------------------------
INFO: ------------------------------------------------------------- WhiteSource Scan Summary: --------------------------------------------------------------
INFO: ------------------------------------------------------------------------------------------------------------------------------------------------------
INFO: ======================================================================================================================================================
INFO: Scan Origin: Local File System
INFO: ======================================================================================================================================================
INFO: Step                                              Completion Status               Elapsed                  Comments
INFO: ======================================================================================================================================================
INFO: Fetch Configuration                                  COMPLETED                  00:00:00.110               --------
INFO: Pre-Step And Resolve Dependencies                    COMPLETED                  00:00:00.854               357 total dependencies (324 unique)
INFO:    NPM                                               COMPLETED                  00:00:00.742               357 total dependencies (324 unique)
INFO:    HTML                                              COMPLETED                  00:00:00.070               0 dependencies
INFO: Scan Files Matching Includes Pattern                 COMPLETED                  00:00:00.040               0 source/binary files
INFO: ======================================================================================================================================================
INFO: Elapsed running time:                                                           00:00:01.004
INFO: ======================================================================================================================================================

Reachability

If Reachability is enabled, the output of reachability will follow after the summary starting from the line Running Reachability. This output is very detailed and add a lot of output to the log itself. This section is more for Mend to find issues with reachability if any are reported through Technical Support.

SCA_RESULTS_JSON

While not it’s own section, this line in the log file is the output of the Pre-Scan Builder. This output will show what manifests were detected by the Pre-Scan builder, if resolution was successful, and if Mend can connect to private registry. This output is the best way to begin troubleshooting issues with private registry connections.

CODE
DEBUG: [2024-12-06 20:46:49] - [CTX=6081612db75e4c40a0c66268d62ae493_e39b7865-99d1-4d90-b75b-dd9eb696305c] -  - [agent=sca_wrapper, agent-version=24.11.1, state=SCA_WRAPPER_PRE_RUN] - SCA_RESULTS_JSON={"results":{"/tmp/mend-scm/testhostrules/build/build.csproj":[{"time":"2024-12-06T20:46:40.374042593Z","type":"PM","pm":"nuget-csproj","stage":"PRE_STEP","success":true,"level":"WARN","resType":"INSTALL","resMsg":"MSBUILD : error MSB1009: Project file does not exist.\nSwitch: build/build.csproj","tool":"PSB","merge":false,"extra":{}},{"time":"2024-12-06T20:46:45.686334249Z","type":"PM","pm":"nuget","stage":"RESOLUTION","success":true,"level":"INFO","resType":"SUCCESS","resMsg":"","tool":"UA","merge":false,"extra":{}}],"/tmp/mend-scm/testhostrules/src/Conduit/Conduit.csproj":[{"time":"2024-12-06T20:46:40.374028341Z","type":"PM","pm":"nuget-csproj","stage":"PRE_STEP","success":true,"level":"WARN","resType":"INSTALL","resMsg":"MSBUILD : error MSB1009: Project file does not exist.\nSwitch: src/Conduit/Conduit.csproj","tool":"PSB","merge":false,"extra":{}},{"time":"2024-12-06T20:46:44.435498051Z","type":"PM","pm":"nuget","stage":"RESOLUTION","success":true,"level":"INFO","resType":"SUCCESS","resMsg":"","tool":"UA","merge":false,"extra":{}}],"/tmp/mend-scm/testhostrules/tests/Conduit.IntegrationTests/Conduit.IntegrationTests.csproj":[{"time":"2024-12-06T20:46:40.374036609Z","type":"PM","pm":"nuget-csproj","stage":"PRE_STEP","success":true,"level":"WARN","resType":"INSTALL","resMsg":"MSBUILD : error MSB1009: Project file does not exist.\nSwitch: tests/Conduit.IntegrationTests/Conduit.IntegrationTests.csproj","tool":"PSB","merge":false,"extra":{}},{"time":"2024-12-06T20:46:45.064054752Z","type":"PM","pm":"nuget","stage":"RESOLUTION","success":true,"level":"INFO","resType":"SUCCESS","resMsg":"","tool":"UA","merge":false,"extra":{}}],"https://pkgs.dev.azure.com/MendOrg/TestProject/_packaging/newFeed/nuget/v3/index.json":[{"time":"2024-12-06T20:46:06.060236350Z","type":"PM","pm":"nuget-csproj","stage":"CONNECTIVITY","success":false,"level":"WARN","resType":"HTTP_UNAUTHORIZED","resMsg":"{\"$id\":\"1\",\"customProperties\":{\"Descriptor\":null,\"IdentityDisplayName\":null,\"Token\":null,\"RequestedPermissions\":0,\"NamespaceId\":\"00000000-0000-0000-0000-000000000000\"},\"innerException\":null,\"message\":\"Access Denied: The Personal Access Token used has expired.\",\"typeName\":\"Microsoft.VisualStudio.Services.Security.AccessCheckException, Microsoft.VisualStudio.Services.WebApi\",\"typeKey\":\"AccessC...","tool":"PSB","merge":false,"extra":{}}]},"tags":{"nuget-csproj":["HOST_RULES"]},"totalSuccess":{"RESOLUTION":3},"totalFail":{"CONNECTIVITY":1,"PRE_STEP":3}}

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.