Scan your open source components (SCA) with Mend for Azure Repos
Overview
Mend SCA is an SCA (Software Composition Analysis) solution of our Mend for Azure Repos integration. Within Mend for Azure Repos, Mend SCA conducts a thorough examination of the open-source elements present in your repositories to identify CVE vulnerabilities and license compliance.
Use case
Mend for Azure Repos SCA scans can be utilized in the following ways:
You, a developer, have come across a vulnerability in an open-source component that was included in one of your commits. You are accountable for addressing the issue and are looking to automate the remediation process.
You, a development team leader, are responsible for a repository and want to ensure no high-severity findings or license violations in your team’s open-source components. You want to monitor the overall state of the repository.
Mend’s Answer: With every valid commit, the SCA scan creates a Mend Security Check that provides details on vulnerabilities and license violations. The SCA scan creates Work Items to help you keep track of these findings. Lastly, working alongside Remediate and Renovate, the SCA scan provides automated vulnerability remediation and dependency updates via Pull Requests. This is all done without you ever needing to leave Azure Repos.
Getting it done
Once you have installed the Mend for Azure Repos, you will see a Pull Request (PR) created by the whitesource/configure branch
appear in your integrated repositories. This is also referred to as the Mend for Azure Repos "onboarding PR":
The “onboarding PR” will contain the .whitesource file, which handles the configuration of your Mend for Azure Repos scan. You can edit the .whitesource file before merging the onboarding PR to ensure that your first scan is configured appropriately for your repository:
This will initiate the installation and start the first scan on your selected repositories. You can define settings (like selected branches) later on in the .whitesource file.
Configure Mend for Azure Repos for SCA
The .whitesource file is used to configure Mend for Azure Repos SCA scans. To learn more about the SCA-supported languages, configuration, and parameters, visit our Configure Mend for Azure Repos for SCA documentation.
Run the Scan
Once you merge the onboarding PR into your default branch, this will start the first SCA scan on your repository.
Any concurrent SCA scans on your repository are initiated via a valid push command. A valid push command meets at least one of the following requirements:
One of the commits in the push command added/removed a source file(s) with an extension supported by Mend. Refer to the Mend Languages page to find out whether or not a specific language and its extensions are supported.
One of the commits in the push command includes an addition/deletion/modification of the package manager dependency file(s). Refer to the list of supported dependency files to determine whether your dependency files are supported.
Note:
A push command may consist of multiple commits.
You can manually trigger a scan for several repositories at once. For more information, refer to our Global Configuration document.
View the Scan Status
Once the scan is started, there are Azure DevOps Repos checks created called:
Mend Security Check: For vulnerabilities in SCA components
Mend License Check: For SCA components that contain license violations on policies defined by your organization
Within Azure DevOps Repos, in your repository's Repos > Commits page, you can view the status and results of each scan. Click a specific check icon in order to view the Mend check:
Mend Security Check (SCA)
Once the scan has been started, there are several status indicators available as feedback on a head commit:
Queued: The SCA scan has not begun and is scheduled to begin.
In progress: (Blue Circle Icon) The SCA scan is currently in progress:
Success: (Green Checkmark icon) The SCA scan is completed, and this status can be displayed in two scenarios:
When the parameter vulnerable.check.run.conclusion.level is set to
success
orfailure
, and a 'success' status is provided for the scan since no vulnerabilities were found and no errors occurred during the scan for this head commit. In this case, merging a pull request that includes this commit to another branch in the repository is automatically approved.When the parameter vulnerable.check.run.conclusion.level is set to
success
. In this configuration, even a 'failed' status for a head commit's scan is converted to 'success'. In this case, merging a pull request that includes this head commit to another branch in the repository is automatically approved.
Failure: (Red “X” Icon) Default for all completed SCA scans. When the parameter vulnerable.check.run.conclusion.level is set to
failure
, the status of a 'failed' head commit is 'failure', and a policy for approving merging pull requests that include failed head commits with another branch in the repository is enforced.Neutral: Conclusion occurs when the push command was not valid:
Note: The Failure status can also occur when an error (i.e. scan timeout) that occurred during the scan.
Mend Security Check with Partial Scan results
In case when the scanning of the repository Mend encountered exceptions thrown by the package managers, there will be a message indicating that the scan results might be partial (i.e., Mend was not able to pull all of the dependencies for scanning).
This message is displayed only in the description of the Security Check and does not affect its status. It is also possible to use the strictMode parameter so all the Checks with this message will fail even if no vulnerabilities are detected during the scan.
Note: To retrieve the scan logs, please refer to our article on how to generate the scan logs. If further assistance is required, you can provide the Mend Support Team with the Support Token found in the Commit Comment of the scan.
Mend License Check
The following commit status indicators are available as feedback on the head commits for the Mend License Check:
Neutral: Conclusion occurs when the push command was not valid:
Success: (Green Checkmark icon) No license policy violations were detected:
Failure: (Red “X” icon) One or more license policy violations were detected:
View the Scan Results
Once your Mend for Azure Repos scan has been completed, there are multiple resources to review your results. For more information to help you understand your findings, visit our View the results of your Mend for Azure Repos SCA scan documentation.
Inventory post-scan
Mend continuously researches new vulnerabilities and updates its vulnerability database with these findings. For these newly discovered vulnerabilities to be reflected in projects as soon as possible, Mend initiates a post-scan process for all integrated projects every 6 hours and additionally at 01:00 UTC. Mend will create or update issues and pull requests for vulnerabilities that were added to the database during this period of time.
This is an automated procedure, and no action from the user is required.