What is Mend?
GÉANT projects need to be aligned with their IPR policies but also with the general GÉANT IPR policy guidelines, which are currently being worked on. Projects use libraries whose use is subject to licence definitions by the authors or IPR holders of those libraries, and all licences must be mutually compatible. Mend, as a platform for managing the security and compliance of software licences, helps in checking this compatibility. It can support the process of managing and approving the used components. It integrates into all phases of the software development life cycle and enables real-time monitoring and alerts to solve problems on time.
How does Mend work?
Mend scans directories to find software components, identifies vulnerable libraries and licensing conflicts or risks and then displays the results in the Mend web application without actually scanning the source code. By default, it checks the digital signatures of used components in the Mend database to detect all open-source or commercial components in the product. Mend is a platform that allows users to connect to a given GÉANT product (without having to review the code) and check the compliance of the product with a predefined IPR policy. The verification is performed by 'scanning' the project, which enables the production of the overview reports on compliance.
Scans of the organisation's products can be found in the Mend application. A scan of each scanned product is displayed on the corresponding product page. The product page shows detailed information about a specific product and features a variety of dashboard options, providing a rich and varied view of the organisation's open-source status. The Product page shows summary information about a specific product and all contained projects and libraries that are used by it. The Product page is the result of a scan for a GÉANT product (from one integral UA product scan or several per-project scans).
Mend can analyse projects in several ways. The provided code may be locally stored and the Mend scan can be triggered manually at any time when the developer team is interested in the results of a recent code change. The details are in Adding project to Mend (Scan Flow).
The standard way, however, is the integration of the Mend scan in a Continuous Integration (CI) pipeline that triggers the scan automatically on each commit in the host repositories such as GitLab and Bitbucket (including GÉANT Gitlab and Bitbucket). GÉANT used Bamboo as the CI/CD software in between the host repository and Mend (details in Automated Mend scans with Bamboo).
What does Mend provide?
The web-based GUI provides numerous options and panels to view and analyse the scans of open-source software in an organisation's products and projects. Administrators can customise the system settings, manage the additional users' permissions, and configure the integration with third-party components.
The information shown on the dashboards is as follows:
- The Product Alerts section shows valuable information about the actual library (component) alerts generated for a product. The New Versions category shows the number of alerts triggered for scanned libraries that were found to be out-of-date (i.e., not having the latest version). Whenever an out-of-date library is located in the inventory, a new alert is generated and displayed in the Alerts report. The Alert shows the out-of-date library and indicates the new version.
- Security and Quality – shows the number of libraries that include vulnerabilities sorted by severity, the score of their most vulnerable library, counts the libraries that have newer versions and include vulnerabilities and counts the number of ’buggy’ libraries.
- The libraries section shows detailed information about the Product libraries (components): library name, library licence, and per-product or project library occurrences.
- Licence Analysis – The dashboard provides licence distribution data, in which the user can see the licences of product or project components. This dashboard displays the number of different licence types.
Mend provides open-source licence information about licence type, copyrights, dealing with patents and royalties, linking, and open-software compliance.
Mend has also conducted an in-house analysis of many of the main licence types and provided risk scores to help developers determine what risks and factors they should keep in mind when deciding which licence they should use. The Mend scan service can provide GÉANT project teams with tracking of IPR compliance to help them make their code compatible with IPR policies. Mend provides full visibility and control over the risks associated with open source and licence (non-)compliance.