| Table of Contents |
|---|
Overview
This topic describes Offline mode for Mend Prioritize, which enables you to analyze a project that is located in an environment not connected to the Internet.
This process comprises three systems:
An offline client system (not connected to the Internet)
An online client system (connected to the Internet - and Mend Application)
Mend SaaS (connected to the Internet - and Mend Application (SaaS))
The following provides an outline of the process:
...
Step #
...
Description
...
1
...
(Offline) Establishing Project Component Dependencies: Leverage the Mend Unified Agent to establish project component dependencies and store them in a dedicated file
...
2
...
(Online) Obtaining Project Reported Component Vulnerabilities: Request that Mend SaaS return vulnerabilities reported for each of the libraries established in Step 1
...
3
...
(Offline) Producing Project Prioritize Results: Leverage the Unified Agent to run Mend Prioritize on an offline system using the details obtained in Steps 1 and 2
...
4
...
(Online) Uploading Project Prioritize Results: Submit analysis results to the Mend SaaS from an online system to Mend Saas
...
Establishing Project Component Dependencies
This step is applicable to offline (client) systems. Do as follows:
Run the Unified Agent, specifying a designated offline mode setting (-euaOffline dep) instructing the Agent to do the following:
Establish project component dependencies after running Mend Prioritize prerequisite checks.
Generate a file with found dependencies.
Command
...
| Code Block |
|---|
java -jar <unified_agent.jar> -c <unified_agent_config> -d <project-folder> -euaOffline dep [-euaDep <euaDep_Path>] |
...
Switch
...
Description
...
d
...
The project folder to be scanned.
...
-euaOffline
...
The Prioritize offline mode. Supported modes include:
dep (dependency) (along with all pertinent Unified Agent details associated with an offline request)
vul (vulnerability)
res (analysis results)
upl (upload)
In step 1, the following setting is employed:
-euaOffline dep (Instructs the agent to run in euaOffline dep mode, and generate a dependency file for later Mend Prioritize analysis)
...
-euaDep <euaDep_Path>
...
(Optional) This setting specifies the path and name for the dependency file (default: Unified Agent folder and euaDep.json)
Outcome
A JSON file (euaDep.json) with found dependencies (along with all relevant Unified Agent details associated with an offline request).
Messages
Success: "Offline EUA dependency listing was generated successfully. Number of found dependencies: x."
Error Messages
...
Use Case
...
Message
...
Failure of unrecognized mode
...
"Offline EUA does not support the specified euaOffline mode"
...
Failure of dep mode
...
"Offline EUA dependency listing could not be generated"
Obtaining Project Reported Component Vulnerabilities
This step is applicable to online (connected) systems. Do as follows:
Run the Unified Agent in euaOffline mode, specifying the path (<euaDep_Path>) to the JSON created in Step 1 to do the following:
Obtain reported component vulnerabilities.
Produce a file with found component vulnerabilities (default: euaVul.json).
Capture a unique value for the dependencies listed in the dependency file (default file: euaDep.json) within the vulnerability file (default file: euaVul.json); that value should be inspected in Step 3 to verify that the dependency and vulnerability files that are referenced in that step match.
Command
...
| Code Block |
|---|
java -jar <unified_agent.jar> -euaOffline vul -euaDep <euaDep_Path> [-euaVul <euaVul_Path>] [-wss.url <url>] |
...
Switch
...
Description
...
-euaOffline
...
Denotes the EUA offline mode. Supported modes include:
dep (dependency (along with all relevant Unified Agent details associated with an offline request))
vul (vulnerability)
res (analysis results)
upl (upload)
In step 2, the following setting is employed:
-euaOffline vul (Instructs the agent to run in euaOffline vul mode, obtain reported vulnerabilities for captured dependencies and generate a vul file featuring the vulnerabilities and a unique value calculated for the dependency listing)
...
-euaDep <euaDep_Path>
...
(Optional) This setting specifies the path and name of the dependency file
...
-euaVul <euaVul_Path>
...
(Optional) This setting specifies the output path and name for the vulnerability file (default: Unified Agent folder and euaVul.json)
...
-wss.url <url>
...
(Optional) This parameter specifies the wss URL (NOTE: The value should be the same value referenced in the UA configuration file - see Step 1)
Outcome
A JSON file (euaVul.json) with found vulnerabilities and a unique value calculated for the dependency listing will be generated.
Messages
Success: "Offline EUA vulnerability listing was generated successfully."
Error Messages
...
Use Case
...
Message
...
Failure of unrecognized mode
...
"Offline EUA does not support the specified euaOffline mode."
...
Failure of vul mode
...
"Offline EUA vulnerability listing could not be generated."
Producing Project Prioritize Results
This step is applicable to offline (client) systems. Do as follows:
Run the Unified Agent, specifying new designated parameters (-offline, -euaDep, -euaVul) that instruct the agent to:
Calculate a unique value of the dependencies listing obtained for the referenced project (based on the specified appPath and d) and verify that the value matches:
The value calculated and captured for the dependencies' JSON file (euaDep.json)
The value captured in the vulnerabilities JSON file (euaVul.json)
Establish project vulnerability effectiveness after running Prioritize.
Generate a file with Mend Prioritize results.
Command
...
| Code Block |
|---|
java -jar <unified_agent.jar> -c <unified_agent_config> -appPath <app_path> -d <d_path> -euaOffline res [-euaDep <euaDep_Path>] [-euaVul <euaVul_Path>] [-euaRes <euaRes_Path>] |
...
Switch
...
Description
...
-euaOffline
...
The Prioritize offline mode. Supported modes include:
dep (dependency)
vul (vulnerability)
res (analysis results)
upl (upload)
In step 3, the following setting is employed:
-euaOffline res (Instructs the agent to run in euaOffline res mode, and generate a file with analysis results.)
...
-euaDep <euaDep_Path>
...
A setting specifying the path and name of the dependency file (default: Unified Agent folder and euaDep.json)
...
-euaVul <euaVul_Path>
...
A setting specifying the output path and name for the vulnerability file (default: unified agent folder and euaVul.json)
...
-euaRes <euaRes_Path>
...
A setting specifying the output path and name for the results file (default: unified agent folder and euaRes.json)
Outcome
A JSON file (default: euaRes.json) with Prioritize analysis results.
Messages
Success: "Offline EUA analysis was completed successfully."
Error Messages
...
Use Case
...
Message
...
Failure of comparison between dependency file details and the dependencies obtained by running the command with the specified -d parameter
...
"Effective Usage Analysis will not run if the dependency listing in the specified dependency file path is not identical to the listing obtained by the UA for the specified
-d parameter. Verify that the specified -d parameter and the dependency file path correspond to the same project."
...
Failure of comparison among the SHA-1 values calculated for the project dependencies (based on the specified project’s appPath and d details), the SHA-1 captured for the dependencies json file, and the SHA-1 captured in the vulnerabilities json file
...
"Effective Usage Analysis will not run if the project’s dependencies calculated based on the specified appPath and -d parameters are different from those referenced by the specified json files produced in previous steps. Verify that the correct project parameters and json files are referenced."
...
Failure of unrecognized mode
...
"Offline EUA does not support the specified euaOffline mode."
...
Failure of res mode
...
"Offline EUA analysis results could not be generated."
Uploading Project Prioritize Results
This step is applicable to online (connected) systems. Do as follows:
Run the Unified Agent, specifying new designated parameters instructing the Agent to upload project Prioritize analysis results.
Command
...
| Code Block |
|---|
java -jar <unified_agent.jar> -euaOffline upl [-euaRes <euaRes_Path>] [-wss.url <url>] |
...
Switch
...
Description
...
-euaOffline
...
Denotes the EUA offline mode. Supported modes include:
dep (dependency)
vul (vulnerability)
res (analysis results)
upl (upload))
In step 4, the following setting is employed:
-euaOffline upl (Instructs the agent to run in euaOffline upl mode, and upload the res file with analysis results)
...
-euaRes <euaRes_Path>
...
A parameter specifying the path and name of the results file to upload (default: Unified Agent folder and euaRes.json)
...
-wss.url <url>
...
An optional parameter specifying the wss URL (NOTE: The value should be the same value referenced in the Unified Agent configuration file (Steps 1 and 3)
Outcome
Not applicable; the results can be seen on the web application's dashboard.
Messages
Success: "Offline EUA analysis was uploaded successfully."
Error Messages
...
Use Case
...
Message
...
Failure of unrecognized mode
...
"Offline EUA does not support the specified euaOffline mode"
...
Failure of upl mode
...
This page is available at: https://docs.mend.io/bundle/sca_user_guide/page/scanning_with_offline_mode.html