Repository Integrations - Checking utilized Package Managers
Our Mend for Developers integrations (GitHub.com, GitHub Enterprise, GitLab, Azure Repos, Bitbucket Cloud, and Bitbucket Server) use Docker containers to integrate directly with your repository manager and scan your repositories.
One of the containers, called the Scanner, is used to run the Unified Agent scan against your cloned repository. This container includes all of the package managers that we support so that it can successfully scan your projects.
This article will describe how to check which version of each package manager is in use and will answer a few frequently asked questions.
Checking the version of a package manager:
If you have access to the container’s Dockerfile
If you have access to the Dockerfiles that you are using for your integration, you can check the version of the package manager within the Scanner Dockerfile itself. The Scanner Dockerfile includes Docker commands to install all of the package managers and specifies the version. You can find the Scanner Dockerfile within the following path /path_to_mend_files/wss-scanner/Docker
Below is an example of the Maven commands within the Scanner Dockerfile:
Install Maven (3.5.4)
ARG BASE_URL=https://apache.osuosl.org/maven/maven-3/${MAVEN_VERSION}/binaries
RUN mkdir -p /usr/share/maven /usr/share/maven/ref &&
curl -fsSL -o /tmp/apache-maven.tar.gz ${BASE_URL}/apache-maven-${MAVEN_VERSION}-bin.tar.gz &&
echo "${MAVEN_VERSION_SHA} /tmp/apache-maven.tar.gz" | sha256sum -c - &&
tar -xzf /tmp/apache-maven.tar.gz -C /usr/share/maven --strip-components=1 &&
rm -f /tmp/apache-maven.tar.gz &&
ln -s /usr/share/maven/bin/mvn /usr/bin/mvn &&
mkdir -p -m 777 ${WSS_USER_HOME}/.m2/repository &&
chown -R ${WSS_USER}:${WSS_GROUP} ${WSS_USER_HOME}/.m2 &&
rm -rf /tmp/*
ENV MAVEN_HOME /usr/share/maven
ENV MAVEN_CONFIG ${WSS_USER_HOME}/.m2If you do not have access to the container’s Dockerfile
If you do not have access to the Dockerfiles that you are using for your integration, you can check the Mend logs from a recent Mend scan of your project. One of the first steps the Scanner completes during a Mend scan is that it runs a command per enabled package manager to confirm that the package manager is installed. This command also returns the version of the package manager, which is reflected in the logs when thelog.level=debug parameter in the whitesource.config file is enabled.
Note: The command for a package manager will only run if you are resolving dependencies from that specific package manager. You may need to check more than one scan log to get the full list of package manager versions.
Below is an example of the Maven package manager command within a scan log:
[DEBUG] [2021-03-30 12:33:19,187 -0400[ - Command result output lines for 'cmd /c mvn -v':
[DEBUG] [2021-03-30 12:33:19,187 -0400[ - Read line #1: Apache Maven 3.6.3 (cecedd343002696d0abb50b32b541b8a6ba2883f)Frequently asked questions
Q: I received an error in my logs stating that the package manager I use wasn’t installed for my integration - why would this happen?
A: Not all package managers are installed by default. All of the commands to install each package manager are included in the Dockerfile by default, but some that are not used frequently have their install commands commented out. To change the package managers that are installed, review the Scanner Dockerfile and uncomment any package manager installation commands you wish directly within the Dockerfile. Please note that the Docker image needs to be rebuilt if the Dockerfile is modified.
Q: My project requires a specific version of the package manager, how can I update the version used by the integration?
A: If you are using a newer version of a package manager, you can request that Mend update the version of the package manager in use by opening a support ticket. You can also update the Dockerfile directly to install the new version of the package manager if you have access to the Dockerfile. Please note that the Docker image needs to be rebuilt if the Dockerfile is modified.
Additional Resources
You can find more information about Mend for Developers in the following documents:
Advanced Technical Information - information on the package managers included in the repository integrations
Mend for Developers - overview of our Mend for Developers offerings