2023-07-07T15:28:00Z

Which code scanning solution is scanning MuleSoft?

BS
  • 4
  • 140
PeerSpot user
2

2 Answers

SS
User
2023-07-11T20:00:00Z
Jul 11, 2023
Real User
Jul 20, 2023

So, regarding your question, it was at clientX that I had the chance to first see these two tools into action, at least partially since we haven't gone fully live during that project. Mend.io is something I even proposed us to use here at newClient, since it does a Software Composition Analysis (SCA) and generates what's called a SBOM, Software Bill of Materials. It basically scans the pom.xml (before the package is built, not after) and generates a report with the dependencies and any known vulnerabilities, along with the CVE details/score, along with a proposed fix (if it exists). FOD can also be used for the same thing, and at clientX that was the intent, having it complementing the first scan made by mend.
As you described, there are these two concepts in the software security space, SCA and SAST. My feeling is that even though we can use the SCA capabilities of these tools (either Mend or FOD) for the SBOM generation, making sure we're not introducing a vulnerable component, for SAST (which is more focused on the code analysis) we're still very limited (mostly due to the nature of our Mule applications, totally XML based). I've never seen anything for the proprietary DW language either. Here at newClient we do use SonarQube loaded with a variation of the mule-sonarqube-plugin that is implemented in our pipelines to also generate a report and interrupt the build process if anything critical (we use it mostly to enforce internal standards via xpath rules) is found. If you need any assistance let me know steve.scott@apipeople.com - we are a Mule partner, expert and work in community bank/cu space on Fiserv, JHA, FIS etc.

PeerSpot user
Search for a product comparison
Rohit Sircar - PeerSpot reviewer
Real User
Top 5Leaderboard
2023-07-10T18:13:24Z
Jul 10, 2023
SS
User
Aug 3, 2023

This tool is also known to work : https://fossa.com/

PeerSpot user
Learn what your peers think about MuleSoft Anypoint API Manager. Get advice and tips from experienced pros sharing their opinions. Updated: June 2024.
791,948 professionals have used our research since 2012.
Mulesoft Anypoint API Manager is the portion of the Anypoint Platform that is used for the designing, building, managing, and publishing of APIs. Anypoint Platform uses Mule as its core runtime engine. Mulesoft Anypoint API Manager is an extremely versatile solution. It offers users the ability to deploy their APIs in a number of different settings. You can use API Manager on a public cloud, a private cloud, or a hybrid. Additionally, users can use the solution to manage their deployments...
Download MuleSoft Anypoint API Manager ReportRead more