Viewing Mend Issues
Overview
This page explains details of the Security and License policy violation issues generated by Mend in your repositories.
Security Issue Details
Note: Starting with the release of version 22.12.1 (January 2nd, 2022), to take advantage of the Critical label for vulnerabilities for existing Issues or Work Items created by our repo integrations, a new scan must be triggered on the repository. If a scan has not been triggered after upgrading to this version, the repo will continue to only show the previous three labels (High, Medium, Low). For more information on the Critical setting, please visit our documentation here.
Selecting a specific security vulnerability type issue displays its details. The display changes according to the type of library:
NOTE: Mend supports displaying multiple libraries for the same CVE; the libraries will be displayed in the same issue.
Component-based library (e.g., '*.tgz', '*.jar' ): It includes the following information:
Vulnerable library: Includes the path to the dependency file and the path of the library. If the path is of a transitive dependency, then only the path information of the root library is displayed. This section also contains a commit link, which includes the path to the commit link where the vulnerability was found. NOTE: The originating branch of the vulnerability is also displayed in case the baseBranches configuration was used.
Vulnerability details: Description of vulnerability, published date, and link to the vulnerability source website.
CVSS 3 score: Basic CVSS3 score metrics. If this score is not available then the CVSS 2 score is displayed.
Exploit Maturity: The Exploit Code Maturity (Proof of concept, Functional and High are reported by Mend as exploitable).
EPSS: The EPSS percentage (probability of a vulnerability to be exploited).
Suggested fix: A detailed suggestion that includes type, origin, release date, and fix resolution. Note that a fix may not always be available.
Automatic Remediation is available for this issue - (NOTE: Supported from version 19.9.1.1 in Self-Hosted integrations) Part of Mend Remediate. Displayed only when automatic remediation is available for the issue, and when the issue does not contain more than a single component.
Check this box to open an automated fix PR/MR - (NOTE: Supported from version 20.2.2 in Self-Hosted integrations) Provides the ability to generate fix PR/MRs on-demand without defining workflow rules in advance. This checkbox is displayed only if automatic remediation is available for the issue and no workflow rules were added yet for the repository. Note that after clicking the checkbox, Mend Remediate immediately generates a fix PR/MR to remediate the given issue.
*Applicable when the exploitability flag is enabled, when a vulnerability contains exploitability data.
Source file-based component: It includes the following information:
Vulnerable library: Includes a description of the vulnerable source library, a link to the source library home page, a commit link, and the path to the commit link where the vulnerability was found. NOTE: The originating branch of the vulnerability is also displayed in case the baseBranches configuration was used.
Library Source Files - A list of source files found in the vulnerability source library.
Vulnerability Details: Description of vulnerability, published date, and link to the vulnerability source website.
CVSS 3 score: Basic CVSS3 score metrics. If this score is not available then the CVSS 2 score is displayed.
Suggested fix: A detailed suggestion that includes type, origin, release date, and fix resolution. Note that a fix may not always be available.
License Policy Violation Issue Details
Selecting a specific license policy violation type issue displays its details:
Library: Includes details of the library containing a license policy violation. It also includes the path to the dependency file and the path of the library. If the path is of a transitive dependency, then only the path information of the root library is displayed. This section also contains a commit link, which includes the path to the commit link where the license policy violation was found. NOTE: The originating branch of the license policy violation is also displayed in case the baseBranches configuration was used.
License Details: Description of the license including the license name, a link to the original license, and a license reference file. NOTE: When a policy violation affects a library containing multiple licenses, all of the library licenses are displayed, including the license violating the policy.
License Policy Violation: The name of the license policy violation as defined in the Mend UI, along with the policy level (Organization/Product/Project).
Infrastructure as Code (IaC) Violation Details
Selecting a specific IaC violation type issue displays its details:
Violation detected in the file: Includes details of the affected configuration file containing an IaC violation. It also includes the line numbers affected inside the file.
File Type: The type of configuration file. NOTE: supported configuration files are Terraform, CloudFormation, Kubernetes, ARM Templates, Serverless, and Helm.
Details: Additional information regarding the IaC violation.
Code Security Report (SAST)
Selecting a code security findings type issue displays its details:
Latest Scan: A timestamp of the latest SAST scan of this repository.
Total Findings: A number of code security findings after the latest scan.
Tested Project Files: A number of files that were scanned during the latest scan.
Detected Programming Languages: A number of programming languages were detected and files of which were scanned during the latest scan.
Check this box to manually trigger a scan: Checking this checkbox initiates a SAST scan for this repository.
A section for each scanned programming language contains:
Language name
A table with code security findings aggregated by a CWE:
Severity: The severity of a CWE.
Vulnerability Type: A short description of the CWE type.
Count: A number of occurrences of this CWE in the code.
The Details section contains a link to the Mend SAST Application and a description of some of the findings with the highest severity.