Mend Advise for Visual Studio Code
Overview
Mend Advise is an extension for Visual Studio Code, Visual Studio Codespaces, and GitHub Codespaces that is designed to empower developers with important, valuable information on security vulnerabilities concerning open-source components employed in their development projects.
Mend Advise does the following:
It facilitates workflows by making critical component vulnerability information available to the software developer from within the code editor, preventing the need to use a separate application for such purposes. This includes workflow violations.
It offers a transparent UX for developers, by seamlessly integrating with the code editor. It highlights open source components found to have reported security vulnerabilities (CVEs), displays information on such vulnerabilities, and offers recommendations for fixing them.
Support for Languages, Package Managers, and Proxy
Mend Advise supports npm, yarn, GO and C#-based (SDK and non-SDK-style) projects.
Note the following current limitations:
In certain circumstances where multiple scanned projects have the same vulnerable transitive dependency but each project contains different versions of the dependency, Mend will provide security results for only one of the dependency versions.
For C# Projects: The intermediate output path (the default is "obj" folder) of a C# project must be located directly inside the project's folder.
Using VS Code behind an authenticated HTTP proxy where credentials are not set as part of the proxy URL is not supported
Prerequisites
Ensure the following:
A Windows or macOS machine is being used (Linux is not supported)
A valid license for Mend for Developers
A license key for Mend Advise for IDE, available via one of the following options:
If you do not have direct access to the Mend Application, obtain the license key from your Mend Administrator.
If you have access to the Mend Application, do as follows:
For user level activation (Recommended option, provides more features. E.g. Direct fix for transitive vulnerabilities)
Go to the Mend Application.
Open the Profile page.
In the Mend Advise - IDE Integration section at the bottom, select your organization.
Copy your personal license key to be used later in Activating Mend Advise.
For organization level activation
Go to the Mend Application.
Open Integrate tab.
Go to Developer Integrations.
Open Advise for IDE.
Copy License Key to be used later in Activating Mend Advise
NuGet Package Manager must be installed for .NET projects
A package-lock.json or yarn.lcok must be present for JavaScript projects
Supported Versions
The plugin supports Visual Studio Code 1.47.3 and above. The last tested version is 1.63.2.
Installing Mend Advise
To install Mend Advise, do as follows:
Start the editor.
From the sidebar on the left, select Extensions. The Extensions panel is displayed.
In the search bar on top, enter mend and press Enter. The Mend Advise “widget” is displayed in the panel.
In the Mend Advise panel, click Install. The installation process begins. When the installation process is complete, you will receive a notification message.
Activating Mend Advise
To activate Mend Advise, do as follows:
Ensure that you have completed all previous procedures on this page.
Start the editor.
Open View > Command Palette.
In the Command Palette, enter mend.
From the suggestion list, select mend: Activate Mend Advise. The Activate Mend Advise wizard begins.
Enter your organizational email (the email domain must be licensed to use Advise), and click Enter.
Enter your license key (see here for more information on how to obtain a license key), and click Enter.
In the Mend Advise was successfully activated notification, if you want the extension to remember the license key, click Yes.
Visual Studio Code Integration
This video demonstrates how to install and use Mend Advise for Visual Studio Code.
Configuring Mend Advise
Changes made to the Mend settings will only apply after running the next scan.
To configure Mend Advise, do as follows:
From the sidebar on the left, select Extensions. The Extensions panel is displayed.
In the search bar on top, enter mend and press Enter. The Mend Advise “widget” is displayed in the panel.
Click the Manage icon.
In the popup that opens, click Extension Settings.
In the Mend screen, review the options and modify if necessary. See here for a list of all options.
Options Table
Option | Description | Default Setting |
---|---|---|
Enable automatic scanning in Workspace | When enabled, Mend Advise will automatically scan after activating the extension or after changes are applied to any of your Workspace folders. | Selected (checked) |
Include dev dependencies | When enabled, Mend Advise will include dev dependencies in a scan. | Unselected (not checked) |
Only show issues for direct dependencies | When enabled, Mend Advise will only return vulnerabilities for direct dependencies defined in your dependency file. | Unselected (not checked) |
Minimum vulnerability severity level | Alert only on detected vulnerabilities satisfying a Low/Medium/High/Critical minimum severity level.
| Low |
Scanning for Security Vulnerabilities
There are two ways to scan for security vulnerabilities - scan your entire workspace, or scan one or multiple folders within the workspace.
Ensure your projects are built before you scan their associated folders with Mend Advise.
Scanning a Workspace
To scan a workspace, do any of the following:
From the menu bar, Open View > Command Palette, enter mend, and from the suggestion list, select mend: Scan Workspace with Mend Advise.
From your keyboard, press Ctrl + Shift + Q
Scanning Folders Within a Workspace
To scan one or multiple folders within the workspace, do as follows:
Select one or multiple folders from the Explorer pane.
Right-click the folder (or a selection of folders) and from the context menu, click Scan folder(s) with Mend Advise.
Developer Focus Mode
The Developer Focus Mode allows developers to see only vulnerability alerts that are new in their feature branches compared to a predefined base branch. This promotes the security shift left approach and empowers developers to fix newly-introduced vulnerabilities immediately as part of their feature development efforts and prior to merging vulnerable code into production branches.
To enable Focus mode, do as follows:
In the Mend Advise project-level configuration, enable the Diff operation to be performed on a base branch checkbox.
Choose the base branch to which all other branch scans will be compared.
Make sure that your base branch is checked out, and trigger a Mend Advise scan either manually or by building your project.
If there was no scan on the predefined base branch after its initial configuration, all branches will show all the scan results, not just the newly created security alerts.
Every time the base branch configuration changes, a Mend Advise scan must be triggered on that branch prior to seeing new security results.
Vulnerable Commit Alert
An alert can be enabled to notify about newly added vulnerabilities when committing the code inside the VS Code. This alert will appear only if the committed feature branches have new vulnerabilities compared to a preconfigured base branch.
To enable a Vulnerable Commit Alert, do as follows:
Enable the Focus Mode (enable the Diff operation, choose the base branch, and trigger a Mend Advise scan).
Go to Setting > Extensions > Mend Advise and make sure that Notify on new OS vulnerabilities is enabled.
In case the commit has new vulnerabilities, a txt file will open with a notification. If you close this file, the new changes won’t be committed and you will be able to review new vulnerabilities in the feature branch. To commit anyway type 'y' and close the file.
Advanced information about the Vulnerable Commit Alert
For this feature, the Advise extension is using git hooks to block a commit when new vulnerabilities are presented in the feature branch (this is a script that will run before each commit).
The Advise extension will check if you have an active hook named pre-commit (all hooks are stored in the project directory in .git/hooks
; if they have .sample
extension it means that they are not used). If such a file isn't already used, Advise will update it so it can block vulnerable commits as described above.
If such a file already exists and doesn’t have a .sample
extension (meaning, this script runs before each commit), Advise will not update this file or create a new one. In order for Vulnerable Commit Alert to work, you have to manually update the pre-commit file so it has the required script. For the script, please contact Mend Support.
Reviewing Scan Results
After a scan is completed, a notification is displayed with informative statistics regarding the scan. These include the number of critical, high, medium, and low severity vulnerabilities. To view more specific information regarding the vulnerability, click Show Problems inside the notification to open the Problems section. In the Problems section, for each vulnerability, the following details are displayed (note that some Problem descriptions are found on the same line):
Vulnerability/CVSS Score/Severity:
The identifier of the vulnerability
The security vulnerability's Common Vulnerability Scoring System (CVSS) score. If a CVSS 3 score is available, it will be displayed; otherwise, the CVSS 2 score will be displayed.
Reported severity for the vulnerability: CRITICAL, HIGH, MEDIUM, LOW
Component/Dependency Type
The scanned component reported to have a vulnerability
Whether the vulnerable component is a Direct dependency or a Transitive dependency
Dependency Path - The path from the direct dependency to the vulnerable transitive dependency (displayed only if it is a transitive dependency)
Fix - The remediation advice that Mend recommends for the vulnerability. A condensed description of the recommended course of action is given.
Direct Fix - The remediation advice that Mend recommends for the transitive vulnerability. A condensed description of the recommended course of action over the direct dependency is given.
NOTE: Direct Fix is only available for plugins activated with a personal license key (refer to a user level activation in the Prerequisites section).
Upgrading mend Advise
Upgrading When Auto Updating Extensions is Enabled
To upgrade the Mend Advise extension when the Auto Updating Extensions option is enabled, do as follows:
From the sidebar on the left, select Extensions. The Extensions panel is displayed.
In the search bar on top, enter mend and press Enter. The Mend Advise “widget” is displayed in the panel.
Select the Mend Advise extension, and click Reload Required.
NOTE: If the Reload Required is not displayed, a new version is not available.
Upgrading When Auto Updating Extensions is Disabled
To upgrade the Mend Advise extension when the Auto Updating Extensions option is disabled, do as follows:
From the sidebar on the left, select Extensions. The Extensions panel is displayed.
Click the three dots (“…”). The menu is displayed.
Click Check for Extension Updates.
In the search bar on top, enter mend and press Enter. The Mend Advise “widget” is displayed in the panel.
If an update is available to the extension, click the Update to… button.
Uninstalling Mend Advise
To uninstall the extension, do as follows:
From the sidebar on the left, select Extensions. The Extensions panel is displayed.
In the search bar on top, enter mend and press Enter. The Mend Advise “widget” is displayed in the panel.
Select the Mend Advise extension, and click Uninstall.