Mend Support for Third-Party Commercial and Closed Source Components


On top of identifying open source components, Mend supports detection, reporting automated workflows, and policy enforcement on third-party commercial and closed-source components. Closed source (sometimes referred to as proprietary software) is defined as software distributed under a licensing agreement to authorized users with private modification, copying, and redistribution restrictions. Only the original authors of a closed source software can access, copy, and alter that software. An end-user is not actually purchasing software, but purchasing the right to use the software.

This support includes component detection for generating SBOMs, compliance information (closed-source licenses, copyrights, and notices), and security vulnerability information.

Component Detection

Mend detects third-party commercial and closed-source components using the component’s SHA-1 signature. The SHA-1 signature is extremely sensitive, leading to a detection method with no false-positives.

License Detection

Mend categorizes each license into Open Source, Commercial or Closed Source, with support for hundreds of different open and closed source license types. The Due Diligence report allows users to generate a list of components by license type and distinguish between open source and non-open source licenses, along with viewing additional compliance-related metadata.

Vulnerability Detection

Vulnerabilities in third-party commercial and closed-source components are reviewed and enriched by Mend’s research team. Once the enrichment process is complete, the vulnerability is associated with the relevant components and Mend users are alerted.