Versions Compared

Old Version 18

changes.mady.by.user Angela Ruhstorfer

Saved on

compared with

New Version Current

changes.mady.by.user Michelle Friedman

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents

Overview

This page explains details of the Security and License policy violation issues generated by Mend in your repositories. 

Security Issue Details 

Selecting a specific security vulnerability type issue displays its details. The display changes according to the type of library:

NOTE: Mend supports displaying multiple libraries for the same CVE; the libraries will be displayed in the same issue.

Component-based library (e.g., '*.tgz', '*.jar' ): It includes the following information:

...

Vulnerable library: Includes the path to the dependency file and the path of the library. If the path is of a transitive dependency, then only the path information of the root library is displayed. This section also contains a commit link, which includes the path to the commit link where the vulnerability was found. NOTE: The originating branch of the vulnerability is also displayed in case the baseBranches configuration was used.

...

Vulnerability details: Description of vulnerability, published date, and link to the vulnerability source website.

...

is

...

Suggested fix: A detailed suggestion that includes type, origin, release date, and fix resolution. Note that a fix may not always be available.

...

Automatic Remediation is available for this issue - (NOTE: Supported from version 19.9.1.1 in self-managed integrations) Part of Mend Remediate. Displayed only when automatic remediation is available for the issue, and when the issue does not contain more than a single component. 

...

Check this box to open an automated fix PR/MR - (NOTE: Supported from version 20.2.2 in self-managed integrations) Provides the ability to generate fix PR/MRs on-demand without defining workflow rules in advance. This checkbox is displayed only if automatic remediation is available for the issue and no workflow rules were added yet for the repository. Note that after clicking the checkbox, Mend Remediate immediately generates a fix PR/MR to remediate the given issue.

Source file-based component: It includes the following information:

  • Vulnerable library: Includes a description of the vulnerable source library, a link to the source library home page, a commit link, and the path to the commit link where the vulnerability was found. NOTE: The originating branch of the vulnerability is also displayed in case the baseBranches configuration was used.

  • Library Source Files - A list of source files found in the vulnerability source library.

  • Vulnerability Details: Description of vulnerability, published date, and link to the vulnerability source website. 

  • CVSS 3 score: Basic CVSS3 score metrics. If this score is not available then the CVSS 2 score is displayed.

  • Suggested fix: A detailed suggestion that includes type, origin, release date, and fix resolution. Note that a fix may not always be available.

License Policy Violation Issue Details

Selecting a specific license policy violation type issue displays its details:

  • Library: Includes details of the library containing a license policy violation. It also includes the path to the dependency file and the path of the library. If the path is of a transitive dependency, then only the path information of the root library is displayed. This section also contains a commit link, which includes the path to the commit link where the license policy violation was found. NOTE: The originating branch of the license policy violation is also displayed in case the baseBranches configuration was used.

  • License Details: Description of the license including the license name, a link to the original license, and a license reference file. NOTE: When a policy violation affects a library containing multiple licenses, all of the library licenses are displayed, including the license violating the policy.

  • License Policy Violation: The name of the license policy violation as defined in the Mend UI, along with the policy level (Organization/Product/Project).

Infrastructure as Code (IaC) Violation Details

Selecting a specific IaC violation type issue displays its details:

  • Violation detected in the file: Includes details of the affected configuration file containing an IaC violation. It also includes the line numbers affected inside the file.

  • File Type: The type of configuration file. NOTE: supported configuration files are Terraform, CloudFormation, Kubernetes, ARM Templates, Serverless, and Helm.

  • Details: Additional information regarding the IaC violation.

Code Security Report (SAST)

Selecting a code security findings type issue displays its details:

  • Latest Scan: A timestamp of the latest SAST scan of this repository.

  • Total Findings: A number of code security findings after the latest scan.

  • Tested Project Files: A number of files that were scanned during the latest scan.

  • Detected Programming Languages: A number of programming languages were detected and files of which were scanned during the latest scan.

  • Check this box to manually trigger a scan: Checking this checkbox initiates a SAST scan for this repository.

A section for each scanned programming language contains:

...

Language name

...

A table with code security findings aggregated by a CWE:

  • Severity: The severity of a CWE.

  • CWE: Common Weakness Enumeration.

  • Vulnerability Type: A short description of the CWE type.

  • Count: A number of occurrences of this CWE in the code.

...

available at: https://docs.mend.io/bundle/integrations/page/viewing_mend_issues.html