Mend Advise for Visual Studio is an extension for Visual Studio that is designed to empower developers with important, valuable information on security vulnerabilities concerning open-source components employed in their development projects.
Mend Advise for Visual Studio does the following:
It facilitates workflows by making critical component vulnerability information available to the software developer from within the IDE, preventing the need to use a separate application for such purpose.
It offers a transparent UX for developers, by seamlessly integrating with the IDE environment. It provides a dedicated view including reported security vulnerabilities (CVEs) as well as recommendations for fixing them.
Support for Languages and Package Managers
Mend Advise supports C#-based projects of the following types:
SDK-style projects based on .NET Core 2.0 and above
Non-SDK-style projects based on .NET Framework 4.5.2 and above
Ensure the following:
A Windows machine is being used (Linux and Mac are not supported)
A license key for Mend Advise for IDE, available via one of the following options:
If you do not have direct access to the Mend Application, obtain the license key from your Mend Administrator.
If you have access to the Mend Application, do as follows:
Go to the Mend Application.
Open the Profile page.
In the Mend Advise - IDE Integration section at the bottom, select your organization.
Visual Studio 2019 (any edition) is installed and you are familiar with its basic functionality
NuGet Package Manager must be installed
The plugin supports Visual Studio 2019.1 and above (Enterprise, Professional, Community). The last tested version is 2022.
Plugins for Visual Studio 2019 and Visual Studio 2022 are published to the Visual Studio Marketplace separately.
Installing Mend Advise
To install Mend Advise, do as follows:
Start Visual Studio.
From the menu bar, select Extensions → Manage Extensions. The Manage Extensions screen is displayed.
In the Manage Extensions screen, open the Online section from the sidebar and click Visual Studio Marketplace.
In the Search area on the right, enter Mend and press Enter.
Select the Mend Advise extension, and click Download.
Click Close and restart Visual Studio so that the extension can be installed.
Activating Mend Advise
To activate Mend Advise, do as follows:
Start Visual Studio, specifying the preferred project.
From the menu bar, click Extensions → Mend → Activate Mend Advise. The Activate Mend Advise screen is displayed.
In Email, enter your organizational email (the email domain must be licensed to use Advise).
In License Key, enter your license key (See here for more information on how to obtain a license key).
NOTE: If you check Remember license key, the activation credentials will be stored for later use. Once stored, the Mend Advise activation credentials will be used for all projects.
Configuring Mend Advise
Changes made to the Mend settings will only apply after running the next scan.
To configure Mend Advise, do as follows:
From the menu bar, click Extensions → Mend → Options. The Options screen is displayed.
Review the options and modify if necessary. See here for a list of all options.
Automatically scan after build or rebuild action
When enabled, Mend will trigger a scan after a Build or Rebuild action is performed on any of your solutions/projects.
Only show issues for direct dependencies
When enabled, Mend Advise will only return vulnerabilities for direct dependencies defined in your dependency file.
Unselected (not checked)
Minimum vulnerability severity level
Alert only on detected vulnerabilities satisfying a Low/Medium/High minimum severity level.
Low - Vulnerability alerts for all severities (Low, Medium, High) are displayed.
Medium- Vulnerability alerts only for Medium or High severities are displayed.
High - Vulnerability alerts only for High severities are displayed.
Include dev dependencies
Whether to alert on vulnerabilities detected in dev dependencies.
Unselected (not checked)
Scanning for Security Vulnerabilities
To scan for security vulnerabilities, do one of the following:
Scanning a Solution
Scanning a Solution
To manually scan a solution, do any of the following:
From the menu bar, click Extensions → Mend → Scan Solution with Mend Advise
From the Solution Explorer pane, right-click the solution and from the context menu, click Scan Solution with Mend Advise
To manually scan one or more projects, do as follows:
Select one or multiple projects from the Solution Explorer pane.
Do one of the following options:
From the menu bar, clickExtensions → Mend → Scan Project(s) with Mend Advise
From the Solution Explorer pane, right-click a project (or a selection of projects) and from the context menu, click Scan Project(s) with Mend Advise
Developer Focus Mode
The Developer Focus Mode allows developers to see only vulnerability alerts that are new in their feature branches compared to a predefined base branch. This promotes the security shift left approach and empowers developers to fix newly-introduced vulnerabilities immediately as part of their feature development efforts and prior to merging vulnerable code into production branches.
To enable Focus Mode, do as follows:
In the Extensions → Mend → FocusMode, enable the Diff operation to be performed on a base branch checkbox.
Choose the base branch to which all other branch scans will be compared.
Make sure that your base branch is checked out, and trigger a Mend Advise scan either manually or by building your project.
If there was no scan on the predefined base branch after its initial configuration, all branches will show all the scan results, not just the newly created security alerts.
Every time the base branch configuration changes, a Mend Advise scan must be triggered on that branch prior to seeing new security results.
Vulnerable Commit Alert
An alert can be enabled to notify about newly added vulnerabilities when committing the code inside the Visual Studio. This alert will appear only if the committed feature branches have new vulnerabilities compared to a preconfigured base branch.
To enable a Vulnerable Commit Alert, do as follows:
Enable the Focus Mode (enable the Diff operation, choose the base branch, and trigger a Mend Advise scan).
Enable the Notify on new OS vulnerabilities checkbox.
In case the commit has new vulnerabilities, a txt file will open with a notification. If you close this file, the new changes won’t be committed and you will be able to review new vulnerabilities in the feature branch. To commit anyway, type y and close the file.
Advanced information about the Vulnerable Commit Alert
For this feature, the Advise extension is using git hooks to block a commit when new vulnerabilities are presented in the feature branch (this is a script that will run before each commit).
The Advise extension will check if you have an active hook named pre-commit (all hooks are stored in the project directory in .git/hooks; if they have .sample extension it means that they are not used). If such a file isn't already used, Advise will update it so it can block vulnerable commits as described above.
If such a file already exists and doesn’t have a .sample extension (meaning, this script runs before each commit), Advise will not update this file or create a new one. In order for Vulnerable Commit Alert to work, you have to manually update the pre-commit file so it has the required script. For the script, please contact Mend Support.
Reviewing Scan Results
The Mend window comprises three sections:
Statistics regarding the most recent scan
A table regarding vulnerability details
Statistics regarding the vulnerability distribution
Statistics regarding the most recent scan:
Last scanned projects - The total count of projects from the most recent scan
Last scan timestamp - The time the most recent scan began
Last scan result- The status of the most recent scan
A table regarding vulnerability details:
The Mend window expands on the vulnerability details detected by Mend. The window features the following columns:
Project - The scanned project where a vulnerability was found
Component - The scanned component reported to have a vulnerability
Version - The version of the scanned component reported to contain a vulnerability
Target Framework - The target .NET version of the component
Vulnerability - The identifier of the vulnerability. Clicking the identifier (link) opens the Mend Vulnerability Lab providing more information.
CVSS - The security vulnerability's Common Vulnerability Scoring System (CVSS) score. If a CVSS 3 score is available, it will be displayed; otherwise, the CVSS 2 score will be displayed.
Severity - Reported severity for the vulnerability: High, Medium, Low
Dependency - Whether the vulnerable component is a Direct dependency or a Transitive dependency
Description - The description of the security vulnerability
Top Fix- The top-rated remediation advice that Mend recommends for each vulnerability. A condensed description of the recommended course of action is given
Additionally, you may do the following:
To sort the displayed Mend Advise results based on a preferred column, click the corresponding column header where possible.
Statistics regarding the vulnerability distribution:
Security vulnerability scan summary - The number of High, Medium, and Low severity vulnerabilities in the table, plus the total number of vulnerabilities
Viewing General Plugin Information
To view version information about Mend Advise, do as follows:
From the menu bar, click Extensions → Mend About Mend Advise. The About screen is displayed.