Here at Mend - as a Software Composition Analysis (SCA) market leader - we have worked hard to provide you with the best open source security and license compliance management platform there is, so you can easily and efficiently manage and trust your open source assets. After 10 years as a leader in SCA, Mend now offers a static application security testing (SAST) solution to help your organizations secure their proprietary code in addition to open source code.
Our SCA solution continuously scans dozens of open source repositories, and cross-references this data with open source components in your build. It helps you ﬁnd optimal components and automatically alerts you to known security vulnerabilities, bugs, new versions, patches, and ﬁxes. It automates the creation and enforcement of licensing policies, keeping detailed inventories and due diligence reports. It’s compatible with most programming languages, build tools and development environments. And possibly the best thing about it, you just set it up and leave it to work.
Our SAST solution provides custom code vulnerability detection and prioritization that enables developers to quickly and easily identify the most significant software risks in their proprietary code.
Mend provides the tools you need to develop software securely and effectively, without the headache, so you can focus on what you do best – making beautifully constructed software.
Mend's comprehensive offering has your entire personnel covered, by tailoring our solution to addressing the different needs of open source software development.
Our variety of reports and dashboards will help you assess your open source usage, such as maintaining a repository of open source libraries, or including details about license approval processes.
Accuracy - and a deep, thorough security approach - is critical. Mend provides the following:
Over 200 languages and 30 package managers
Support both binaries and source files scanning
Comprehensive source files analysis, mapping also non-declared dependencies, and scanning those components as well
Richest database in the industry. Mend collects security vulnerabilities from vulnerabilities databases, security advisories (over 20), security issues, and popular open-source issue tracker.
Mend provides your organization with full visibility and control over the risk associated with open source compliance. Governance visibility and methodologies enforcements include:
A wide range of reports and dashboards designed for different audiences
Extensive support in various languages and data sources for compliance scans
Automation to ensure policies and workflows take place
Thorough support in copyrights, notices and cross-SDLC license checks
Audit reports can be generated promptly with a list of your organization’s OSS libraries, the history, risks, and relevant business processes. Whenever a customer, investor or partner demands information about your OSS policies, you’re ready.
We take your privacy very seriously. Our secure, multi-domain architecture keeps your information safe and encrypted separately from other users. We do not store any passwords on our site.
Key Products and Features
The Unified Agent
The Unified Agent is a simple Java command-line tool that extracts descriptive information from your open source libraries located on your file system and integrates them with Mend.
The Web-based GUI
The Web-based GUI provides you with numerous options and panels to view and analyze the scans of your open-source software in the organization's products and projects. Administrators can customize the system settings, manage the additional users' permissions, and configure the integration with third-party components.
Mend Prioritize represents a revolutionary approach to the assessment of the effective security vulnerability impact associated with open source components. It scans customer code, analyzes how the code interacts with open source components, indicates if reported vulnerabilities are effectively referenced by such code – and if so – identifies where that happens. Through a combination of advanced algorithms, a comprehensive knowledge base and a fresh new UI, Mend Prioritize enables customers to establish whether reported vulnerabilities constitute a real risk, allowing for a significant potential reduction in development efforts and higher development process efficiency.
Mend Developer Integrations
Mend Developer Integrations is a paid bundle that augments the Mend Core offering and includes these products:
Mend Remediate - Continuously track repositories to identify vulnerable open source components and generate fix pull requests (PR) automatically, thus automating the remediation process
IDE Integration - Alerts developers on vulnerable open source components while coding within the IDE UI so developers don’t have to switch between applications or wait until they’ve committed the code
Repo Integration - A native integration detecting all open source components in the repos, providing alerts, enforcing compliance, failing builds and pull requests and automating remediation guidance.
Browser Integration (previously named Web Advisor or Selection Tool) - A Chrome extension that allows developers to view a snapshot of a component’s details while browsing on web pages such as StackOverflow, Maven Central, GitHub and many more before they download it and incorporate it into the product.
The documentation in this repository reflects the ongoing changes in Mend application, and as such, is "dynamic". Please note that topics, content, features, descriptions, and entire pages can change at any time with little or no notice.