We also found this issue, related to the specific POM package for MuleSoft. Quite a few of the tools don't support this. We did however have some success with Fortify on Demand and mend.io WhiteSource.
So, regarding your question, it was at clientX that I had the chance to first see these two tools into action, at least partially since we haven't gone fully live during that project. Mend.io is something I even proposed us to use here at newClient, since it does a Software Composition Analysis (SCA) and generates what's called a SBOM, Software Bill of Materials. It basically scans the pom.xml (before the package is built, not after) and generates a report with the dependencies and any known vulnerabilities, along with the CVE details/score, along with a proposed fix (if it exists). FOD can also be used for the same thing, and at clientX that was the intent, having it complementing the first scan made by mend.
As you described, there are these two concepts in the software security space, SCA and SAST. My feeling is that even though we can use the SCA capabilities of these tools (either Mend or FOD) for the SBOM generation, making sure we're not introducing a vulnerable component, for SAST (which is more focused on the code analysis) we're still very limited (mostly due to the nature of our Mule applications, totally XML based). I've never seen anything for the proprietary DW language either. Here at newClient we do use SonarQube loaded with a variation of the mule-sonarqube-plugin that is implemented in our pipelines to also generate a report and interrupt the build process if anything critical (we use it mostly to enforce internal standards via xpath rules) is found. If you need any assistance let me know steve.scott@apipeople.com - we are a Mule partner, expert and work in community bank/cu space on Fiserv, JHA, FIS etc.
MuleSoft comes with its own inbuilt testing engine MUNIT that covers very well code scanning, security & code vulnerability. It is primarily built for unit testing of the MuleSoft application.
MUnit version 2.3, works with all Mule versions since 4.0
With MUnit you can:
Create your test by writing Mule code
Mock processors
Spy any processor
Verify processor calls
Enable or ignore particular tests
Tag tests
Check visual coverage in Studio
Generate coverage reports
Alternatively, you can also use SonarQube for the MuleSoft Security vulnerabilities scan.
Mule SonarQube Plugin is open source and designed to validate the Mule applications code using SonarQube.
Learn what your peers think about MuleSoft Anypoint API Manager. Get advice and tips from experienced pros sharing their opinions. Updated: April 2024.
Mulesoft Anypoint API Manager is the portion of the Anypoint Platform that is used for the designing, building, managing, and publishing of APIs. Anypoint Platform uses Mule as its core runtime engine.
Mulesoft Anypoint API Manager is an extremely versatile solution. It offers users the ability to deploy their APIs in a number of different settings. You can use API Manager on a public cloud, a private cloud, or a hybrid. Additionally, users can use the solution to manage their deployments...
We also found this issue, related to the specific POM package for MuleSoft. Quite a few of the tools don't support this. We did however have some success with Fortify on Demand and mend.io WhiteSource.
So, regarding your question, it was at clientX that I had the chance to first see these two tools into action, at least partially since we haven't gone fully live during that project. Mend.io is something I even proposed us to use here at newClient, since it does a Software Composition Analysis (SCA) and generates what's called a SBOM, Software Bill of Materials. It basically scans the pom.xml (before the package is built, not after) and generates a report with the dependencies and any known vulnerabilities, along with the CVE details/score, along with a proposed fix (if it exists). FOD can also be used for the same thing, and at clientX that was the intent, having it complementing the first scan made by mend.
As you described, there are these two concepts in the software security space, SCA and SAST. My feeling is that even though we can use the SCA capabilities of these tools (either Mend or FOD) for the SBOM generation, making sure we're not introducing a vulnerable component, for SAST (which is more focused on the code analysis) we're still very limited (mostly due to the nature of our Mule applications, totally XML based). I've never seen anything for the proprietary DW language either. Here at newClient we do use SonarQube loaded with a variation of the mule-sonarqube-plugin that is implemented in our pipelines to also generate a report and interrupt the build process if anything critical (we use it mostly to enforce internal standards via xpath rules) is found. If you need any assistance let me know steve.scott@apipeople.com - we are a Mule partner, expert and work in community bank/cu space on Fiserv, JHA, FIS etc.
Hi Beatrice!
MuleSoft comes with its own inbuilt testing engine MUNIT that covers very well code scanning, security & code vulnerability. It is primarily built for unit testing of the MuleSoft application.
MUnit version 2.3, works with all Mule versions since 4.0
With MUnit you can:
Alternatively, you can also use SonarQube for the MuleSoft Security vulnerabilities scan.
Mule SonarQube Plugin is open source and designed to validate the Mule applications code using SonarQube.
The open-source plugin can be found at MuleSoft SonarQube plugin
There are many other code scanning tools that can be integrated with MuleSoft.
Thanks,
Rohit
This tool is also known to work : https://fossa.com/