Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

What is

...

Mend?

GÉANT projects GÉANT projects need to be aligned with their own IPR policies , but also with the general GÉANT IPR policy guidelines, which are currently being worked on. Projects use libraries whose use is subject to license licence definitions by the authors or IPR holders of those libraries, and all licenses licences must be mutually compatible.  WhiteSourceMend, as a platform for managing the security and compliance of software licenseslicences, helps in checking this compatibility. It can support the process of managing and approving the used components. It integrates into all phases of the software development life cycle and enables real-time monitoring and alerts to solve problems in a timely manneron time.

How

...

does Mend work?

Mend

...

WhiteSource scans directories to find software components and then identify , identifies vulnerable libraries and licensing conflicts or risks and then displays the results in the WhiteSource the Mend web application , without without actually scanning the source code.  By By default, it checks the digital signatures of used components in the WhiteSource Mend database to detect all open-source or commercial components in the product. WhiteSource Mend is a platform that allows users to connect to a given GÉANT given GÉANT product (without having to review the code) and to check the compliance of the product with a predefined IPR policy. The verification is performed by 'scanning' the project, which enables the production of the overview reports on compliance.

Scans of the organizationorganisation's products can be found in the WhiteSource Mend application. A scan of each scanned product is displayed on the corresponding product page. The product page The product page shows detailed information about a specific product and features a variety of dashboard options, providing a rich and varied view of the organizationorganisation's open-source status. The Product page Product page shows summary information about a specific product and all contained projects and libraries that are used by themit. The Product The Product page is the result of a scan for a scan for a GÉANT GÉANT product (from one integral UA product scan or several per-project scans).

WhiteSource Mend can analyze analyse projects in several ways:

...

. The provided

...

code may be

...

locally stored

...

and the Mend scan can be triggered manually at any time when the developer team is interested in the results of a recent code change. The details are in Adding project to

...

Mend (Scan Flow)

...

.

The standard way, however, is the integration of the Mend scan in a Continuous Integration (CI) pipeline that triggers the scan automatically on each commit in the host repositories such as GitLab and Bitbucket (including GÉA​NT Gitlab and Bitbucket). GÉANT used Bamboo as the CI/CD software in between the host repository and Mend (details in Automated Mend

...

scans with Bamboo). 

What

...

does Mend provide?

The Webweb-based GUI provides numerous options and panels to view and analyze analyse the scans of open-source software in an organizationorganisation's products and projects. Administrators can customize customise the system settings, manage the additional users' permissions, and configure the integration with third-party components.

The information shown in the on the dashboards is as follows:

  • The Product Alerts section shows valuable information about the actual library (component) alerts generated for a product.   The New Versions category shows the number of alerts triggered alerts triggered for scanned libraries that were found to be out-of-date (i.e., not having the latest version).   Whenever an out-of-date library is located in the inventory, a new alert is generated and displayed in the Alerts report.   The Alert shows the out-of-date library as well as indicating what is and indicates the new version.
  • Security and Quality - shows  – shows the number of libraries that include vulnerabilities sorted by severity, the score of your their most vulnerable library, counts the libraries that have newer versions and include vulnerabilities , and counts the number of "bugged" ’buggy’ libraries.
  • The libraries section shows detailed information about the Product libraries (components): library name, library license, library occurrence by the project.licence, and per-product or project library occurrences.
  • Licence Analysis – The dashboard provides licence distribution data, in which the user can see the licences of product or project components. This License Analysis - The dashboard provides license distribution data in which you can see the licenses resolution organization has. This dashboard displays the number of the different license licence types.

WhiteSource Mend provides open-source license information for License Type, Copyrights, Patent and Royalty, Royalty Free, Linking, OSD Compliant.licence information about licence type, copyrights, dealing with patents and royalties, linking, and open-software compliance.

Mend WhiteSource has also conducted an in-house analysis of many of the main license licence types and provided risk scores to help developers determine what risks and factors they should keep in mind when deciding which license licence they should use.  WhiteSource The Mend scan service can provide GÉANT project GÉANT project teams with tracking of IPR compliance to compliance to help them to make their code compatible with  code compatible with IPR policies.  WhiteSource Mend provides full visibility and control over the risk risks associated with open source and licence (non-)compliance.