You can now perform endorctl scan on your binaries and artifacts without requiring access to source code or build systems. Scan Java and Python packages that are pre-built, bundled, or downloaded into your local system by specifying a file path to your artifact or binary package.
Endor Labs scans the specified package, producing vital scan artifacts such as details about resolved dependencies and transitive dependencies, along with comprehensive call graphs. It enables you to acquire valuable insights and improve the security and reliability of the software components.
You can scan JAR, WAR, and EAR package file formats built using Maven or Gradle with a pom.xml configuration file. To scan packages without a pom.xml configuration, see Scan Java packages without pom.xml.
You can scan EGG(tar.gz) and Wheel(.whl) package file formats.
System specifications for deep scan
Before you proceed to run a deep scan, ensure that your system meets the following specification.
Project Size | Processor | Memory |
---|---|---|
Small projects | 4-core processor | 16 GB |
Mid-size projects | 8-core processor | 32 GB |
Large projects | 16-core processor | 64 GB |
Software prerequisites
If you have a private registry and internal dependencies on other projects, you must configure private registries for the Python and Java projects. See Configure package manager integrations for more information.
Understand the scan arguments
Use --package
as an argument to scan artifacts or binaries. You must provide the path of your file using --path
and specify a name for your project using --project-name
.
endorctl scan --package --path --project-name
Run the scan
Use the following options to scan your repositories.
Option 1 - Quick scan
Perform a quick scan of the local packages to get quick visibility into your software composition. This scan won’t perform reachability analysis to help you prioritize vulnerabilities.
Syntax:
endorctl scan --quick-scan --package --path=<<specify-the-path-of-your-file>> --project-name=<<specify-a-name-for-the-project>>
Example:
endorctl scan --quick-scan --package --path=/Users/username/packages/logback-classic-1.4.10.jar --project-name=package-scan-for-java
Option 2 - Deep scan
Use the deep scan to perform dependency resolution, reachability analysis, and generate call graphs. You can do this after you complete the quick scan successfully.
Syntax:
endorctl scan --package --path=<<specify-the-path-of-your-file>> --project-name=<<specify-a-name-for-the-project>>
Example:
endorctl scan --package --path=/Users/username/packages/logback-classic-1.4.10.jar --project-name=java-package-scan
View results
You can sign into the Endor Labs user interface, click the Projects on the left sidebar, and find your project using the name you entered to review its results.
You can view the list of projects created for scanning packages using the parameter Project Platform Source
matches PLATFORM_SOURCE_BINARY
to search on Projects.