Supported Scanner Matrix for Supply Chain Security Tools - Scan

This topic contains limits you observe with scanners which are provided for SCST - Scan. There might be more limits which are not mentioned in the following table.

Grype

Workload Type	Impact	Potential Workarounds
.Net	Observation: Source Scans for .Net workloads do not show any results in the Tanzu Application Platform GUI nor the CLI. If scanning a mono repository that includes additional types of packages, such as a front-end JavaScript package, source scans might report vulnerabilities. Reason: Grype requires a ".deps.json" file for identifying the dependencies for scanning. Given that this file is created after the .Net project is compiled (which happens after the source scan step), doing Grype source scans on .Net workloads might not report any vulnerabilities. Review the upstream issue here.	Grype image scans for .Net workloads function in most cases. If using an out-of-the-box Supply Chain with scanning, users can select one of the following options: Do nothing. Source scan might not report any vulnerabilities but image scan can. Edit the Supply Chain to use an alternative scanner.
Java	Observation: Source Scans for Java workloads do not show any results in the Tanzu Application Platform GUI nor the CLI. Reason: For Java using Gradle, dependency lock files are not guaranteed, so Grype uses dependencies present in the built binaries, such as `.jar` or `.war` files. Grype fails to find vulnerabilities during a source scan because VMware discourages committing binaries to source code repositories. Review the upstream issue here.	Grype image scans for Java workloads function in most cases. If using an out-of-the-box Supply Chain with scanning, users can select one of the following options: Do nothing. Source scan might not report any vulnerabilities but image scan can. Edit the Supply Chain to use an alternative scanner that supports Java for source scans.