<-- Back

Why SCA tools are not recommended for scanning Mendix apps

Introduction

This article explains why Software Composition Analysis (SCA) tools are not suitable for identifying security vulnerabilities in Mendix applications. Due to Mendix’s low-code, model-driven architecture, SCA tools often produce false positives that do not reflect real risks. The article also highlights which Mendix components can be reliably assessed with SCA tools and which cannot, ensuring accurate interpretation of scan results.

Environment

Applications hosted in any deployment type

Details

SCA is useful for Mendix projects in general, but it is not effective for scanning Mendix low-code components. Completely excluding Mendix modules from SCA is not recommended, as projects may still include custom Java code that should be analyzed. Mendix code, such as microflows, cannot be properly interpreted by static code analysis tools, often resulting in many false positives. 

While static code analysis can be run on a Mendix project, significant effort is required to filter out these incorrect findings. For this reason, tools that understand Mendix low-code semantics, such as QSM, are recommended.

Internal information related

  • 264927, 263703
  • G01EQTEP83G/p1763715360977009

Additional information

Mendix documentation: Security FAQ

 

Have more questions? Submit a request

0 Comments

Article is closed for comments.

To provide feedback, please open a ticket here. Don't forget to include the article's URL along with the feedback you would like to provide.