You got yourself a free trial! Now what?

You got yourself a MergeBase free trial! Now what?

You got yourself a free trial from MergeBase here; you’ve validated your existence and are now in your dashboard. Now what?

Well, that’s a good question. There are 2 aspects to wrap your head around regarding the Mergebase system.

  1. Understanding the dashboard
  2. Understanding how to scan your applications to the dashboard

This blog post will concentrate on getting that first scan successfully completed; then, we’ll look at the dashboard in detail in the next post.

Free Trial: First steps

The first thing to conquer is seeing if you have java installed and, if not, installing it. Baeldung has a great page about checking to see if you have it installed here: Baeldung, and a good page on how to install java lives here: How to Install.

Also, note that the project you scan will have to have been built. So, for example, a node project would need to have the node_modules folder, a c project will need to have its binaries built, etc.

Now that your environment is MergeBase scanner friendly, it is time to take it out for a spin. You will find your personal scanner on your dashboard (the URL would have been sent to you in the free trial welcome email).

Mergebase dashboard add from clt

In the top right corner, you will see a folder icon with “Add Application” next to it. We will look at the “Add from CLT” option.

MergeBase CLT

Free Trial: Working with the Command Line Tool 

From this modal, just click on “Command Line Tool”, and a scanner will download. I would recommend moving the file (called mergebase.jar) to a more permanent spot in your folder structure. I have mine in my Sites folder personally, but you might want to save it on your Desktop in order to find it easily.

Now, take note of where you saved it, as you will need its path as a parameter for scanning. The standard command to start a scan is:

java -jar <pathToMBJar> --name=<appName> <fileToScan> <additional_flags>
java -jar <pathToMBJar> –-help

It will list all the flags you can use with the tool.

An example of the above would be the command I use:

java -jar /Users/valeriewyns/Sites/mergebase.jar --name=test-scan pom.xml

Path to where I saved my downloaded mergebase jar.

The name that will show up in my dashboard with the results of scan.

The path to the dependency file you want to scan. If you want to scan every dependency file in a folder, input a . (period) instead of the file name and add the –all flag. This will tell the scanner to go down into the folder system and scan all it can find.

In order to not get too bogged down in figuring out paths, I usually just either cd to the project I want to scan from my terminal or then scan from my project’s IntelliJ terminal.

Actually, that’s a lie. I kind of cheat in the following way as I can never ever remember the command: just stick it in my .zprofile (yes, I am a Mac user) as a function.

function mScan(){
        if [[ $# -lt 2 ]]; then
                echo "At least 2 arguments are needed: project name & project file to scan"
                return
        fi

        java -jar /Users/valeriewyns/Sites/MergeBase/mergebase.jar --name=$1 $2 $3
}

The third parameter here ($3) allows you to add an optional flag like –-all or –-help.

Now I can just run the command: mScan exampleProject pom.xml to scan a single file, or then mScan exampleProject . –all to scan a whole folder of dependency files.

Then in my IntelliJ IDE, I open a scan tab:

IntelliJ IDE - scan tab

By this, I mean a terminal dedicated to running the scan. Most of the time, you only really need to run a scan when you add a new dependency or when you have not run it in a while (as in a couple of weeks or so). This way, all you need to do is press on the ^ button (the up button on the keyboard) to get the proper command.

In fact, as an aside, I have a separate terminal for each type of command. So, I have one for maven commands (e.g. mvn clean install), one for git commands (e.g. git status), and one for my SCA (e.g. mScan benchmark pom.xml). Laziness is the queen of this household!

The important thing to note when trying to see if MergeBase is your bae is to ensure that the project you are scanning actually has vulnerabilities. I say this because I know quite well that scanning a well taken care of, or brand new, project will report 0 vulnerabilities.

And so, you figure that the tool is not of any use. It’s kind of like paying to go to the doctor & then finding out nothing is wrong with you; kinda disappointing even though it is ultimately good news.

This “issue” has 2 solutions:

1. Find a previous version of your project & revert back to that in another branch

  • git checkout -b mbTestBranch

  • git log    

    (to find the sha of an old commit, the older, the better)

  • git reset –hard

2. Find an old project of yours to scan. The only requisite for this is that the project builds and has a good level of complexity. It’s also a nice walk down memory lane to see what & how you used to build.

And that’s it! You are now a MergeBase CLT expert.

Check out my previouspost on integrations if you would like to learn how to integrate MergeBase in your pipeline, or access our user manual to find more informations about ours integrations.

Need more help? Book a meeting with our team.

Valerie Wyns

About the Author

Valerie Wyns

The accuracy engineer for MergeBase