We also found this issue, related to the specific POM package for MuleSoft. Quite a few of the tools don't support this. We did however have some success with Fortify on Demand and mend.io WhiteSource.
So, regarding your question, it was at clientX that I had the chance to first see these two tools into action, at least partially since we haven't gone fully live during that project. Mend.io is something I even proposed us to use here at newClient, since it does a Software Composition Analysis (SCA) and generates what's called a SBOM, Software Bill of Materials. It basically scans the pom.xml (before the package is built, not after) and generates a report with the dependencies and any known vulnerabilities, along with the CVE details/score, along with a proposed fix (if it exists). FOD can also be used for the same thing, and at clientX that was the intent, having it complementing the first scan made by mend.
As you described, there are these two concepts in the software security space, SCA and SAST. My feeling is that even though we can use the SCA capabilities of these tools (either Mend or FOD) for the SBOM generation, making sure we're not introducing a vulnerable component, for SAST (which is more focused on the code analysis) we're still very limited (mostly due to the nature of our Mule applications, totally XML based). I've never seen anything for the proprietary DW language either. Here at newClient we do use SonarQube loaded with a variation of the mule-sonarqube-plugin that is implemented in our pipelines to also generate a report and interrupt the build process if anything critical (we use it mostly to enforce internal standards via xpath rules) is found. If you need any assistance let me know steve.scott@apipeople.com - we are a Mule partner, expert and work in community bank/cu space on Fiserv, JHA, FIS etc.
Integration Solutions Lead | Digital Core Transformation Service Line at Hexaware Technologies Limited
Vendor
Jul 10, 2023
Hi Beatrice!
MuleSoft comes with its own inbuilt testing engine MUNIT that covers very well code scanning, security & code vulnerability. It is primarily built for unit testing of the MuleSoft application.
MUnit version 2.3, works with all Mule versions since 4.0
With MUnit you can:
Create your test by writing Mule code
Mock processors
Spy any processor
Verify processor calls
Enable or ignore particular tests
Tag tests
Check visual coverage in Studio
Generate coverage reports
Alternatively, you can also use SonarQube for the MuleSoft Security vulnerabilities scan.
Mule SonarQube Plugin is open source and designed to validate the Mule applications code using SonarQube.
Please have a look at Falcon Suite (https://integralzone.com/falco...), a product built exclusively for MuleSoft project Governance, Auditing and Compliance. It addresses all of the above requirements and more.
MuleSoft API Manager offers a user-friendly platform with comprehensive integration capabilities, strong security, and scalable architecture. It's designed to streamline API management and development processes through robust analytics and a rich interface.MuleSoft API Manager stands out with its lightweight design, offering extensive connector libraries and ease of applying policies via drag-and-drop functionality. Its robust analytics enhance operational efficiency. Users can implement...
We also found this issue, related to the specific POM package for MuleSoft. Quite a few of the tools don't support this. We did however have some success with Fortify on Demand and mend.io WhiteSource.
So, regarding your question, it was at clientX that I had the chance to first see these two tools into action, at least partially since we haven't gone fully live during that project. Mend.io is something I even proposed us to use here at newClient, since it does a Software Composition Analysis (SCA) and generates what's called a SBOM, Software Bill of Materials. It basically scans the pom.xml (before the package is built, not after) and generates a report with the dependencies and any known vulnerabilities, along with the CVE details/score, along with a proposed fix (if it exists). FOD can also be used for the same thing, and at clientX that was the intent, having it complementing the first scan made by mend.
As you described, there are these two concepts in the software security space, SCA and SAST. My feeling is that even though we can use the SCA capabilities of these tools (either Mend or FOD) for the SBOM generation, making sure we're not introducing a vulnerable component, for SAST (which is more focused on the code analysis) we're still very limited (mostly due to the nature of our Mule applications, totally XML based). I've never seen anything for the proprietary DW language either. Here at newClient we do use SonarQube loaded with a variation of the mule-sonarqube-plugin that is implemented in our pipelines to also generate a report and interrupt the build process if anything critical (we use it mostly to enforce internal standards via xpath rules) is found. If you need any assistance let me know steve.scott@apipeople.com - we are a Mule partner, expert and work in community bank/cu space on Fiserv, JHA, FIS etc.
Hi Beatrice!
MuleSoft comes with its own inbuilt testing engine MUNIT that covers very well code scanning, security & code vulnerability. It is primarily built for unit testing of the MuleSoft application.
MUnit version 2.3, works with all Mule versions since 4.0
With MUnit you can:
Alternatively, you can also use SonarQube for the MuleSoft Security vulnerabilities scan.
Mule SonarQube Plugin is open source and designed to validate the Mule applications code using SonarQube.
The open-source plugin can be found at MuleSoft SonarQube plugin
There are many other code scanning tools that can be integrated with MuleSoft.
Thanks,
Rohit
Please have a look at Falcon Suite (https://integralzone.com/falco...), a product built exclusively for MuleSoft project Governance, Auditing and Compliance. It addresses all of the above requirements and more.