Azure DevOps Pipelines Integration

Overview

This integration is not currently supported for customers on a Mend On-Premises instance.

It is recommended to integrate into the pipeline with the Mend CLI or into the repository with Mend for Azure Repos for enhanced features.

The Azure DevOps Pipelines native integration is enabled via the Mend for Azure DevOps extension. It enables you to do the following:

• Detect and remediate vulnerable open source components

• Generate a comprehensive open-source inventory report per build

• Enforce open source license compliance, including dependencies’ licenses

• Identify outdated open-source libraries with recommendations to update

NOTES:

• The extension maps an Azure DevOps Organization to a specified Mend Organization.

• The extension maps an Azure DevOps Project (and all of its pipelines which are integrated with Mend) to a specified Mend Product. In order to map between an Azure DevOps Pipeline Build and a Mend Product, it is recommended to use the Unified Agent integration.

Support for Languages and Package Managers 

The Azure DevOps Pipelines integration supports programming languages and package managers that are supported today by the Unified Agent Configuration.

Note the following current limitations:

• Docker image scanning is not supported

• Effective Usage Analysis capabilities are not supported

Prerequisites

Ensure the following:

• Your Azure DevOps organization is connected to an Azure AD via Organization Settings → Azure Active Directory.

• An activation key for a CI/CD Integration is available via the Mend application's Integrate tab.

• The New Version alerts setting is enabled via Admin → Alert Settings. When disabled, no information is displayed in the Outdated Libraries tab of the Open source risk report.

• If you are using a self-hosted build agent, note that running it behind a web proxy is not currently supported.

• The relevant package manager used by your project is installed.

• Make sure to whitelist the URL that is used by the extension to download the Unified Agent: unified-agent.jar

Installing the Extension

To install the extension, do as follows:

1. Click here. The Mend for Azure DevOps page is displayed

2. Click Get and follow the installation procedure

Activating the Extension

To activate the extension, do as follows:

To re-activate the extension using a different Mend account (activation key), uninstall the extension and then follow the instructions below.

1. After installing the extension, navigate to Organization Settings → Extensions → Mend within your Azure DevOps organization

2. An activation form for connecting to your Mend account is displayed. Enter the following details:

   • First name

   • Last name

   • Work email

   • Company name

   • Country

   • Activation key - navigate to Integrate → CI/CD Integration in the Mend application. Click the Generate Activation Key, and copy-paste the activation key. NOTE: If you are not a Mend administrator, you will need to get the activation key from the administrator.

3. Click Connect Account. Your extension is now connected to your Mend account

Configuring Organizational Settings

After completing the activation process, you can define the Mend mapping resolution; whether to map each Azure DevOps pipeline to a Mend project (which is the default behavior) or to map each run/build of the pipeline to a Mend project. This setting will be applied to all of your organization’s pipelines.

To define the Mend mapping resolution, do as follows:

1. Navigate to Organization Settings → Extensions → Mend

2. Select the Map Azure DevOps Pipelines to Mend Projects checkbox if you want each Azure DevOps pipeline to be mapped to a Mend project (by default, it is selected)
   -Or-
   Clear the checkbox to map only each run/build of the pipeline to a Mend project

3. Click Save

Configuring Project Settings

The default Mend Product that will be associated with your specific Azure DevOps Project, is AZDO_[PROJECT_NAME]. To change the mapped Mend product, there are two available options:

• Defining a new Mend product

• Selecting an existing Mend product

Defining a New Mend Product

To define a new Mend product to be created and associated with your Azure DevOps project, do as follows:

1. Ensure that you followed the procedures in Activating the Extension

2. Navigate to your Azure DevOps project

3. Navigate to Project Settings → Extensions → Mend of the specific project

4. Enter the desired Mend product name in the Product name field. As you enter the name, it will simultaneously appear under the input field; click that name below

   

5. In the Add a new Product dialog box, click Add

6. Under the Product name box click Save

The new product will be created in the Mend application. Any build that will run in the specific Azure DevOps project will have results appear in the Mend application under the provided product name.

Selecting a Product From a List of Existing Mend Products

To select a product from a list of existing Mend products, do as follows:

1. Ensure that you followed the procedures in Activating the Extension

2. Navigate to your Azure DevOps project

3. Navigate to Project Settings → Extensions → Mend

4. Click the input field of the Product name to display the list of the existing Mend products

5. Select a product from the list. Once selected, it should be displayed in the input field. Click Save.

Any build that will run in the specific Azure DevOps project will have results appear in the Mend application under the provided existing Mend product.

Existing Mend scans that were triggered before changing the Mend product name will remain under the previously-set Mend product.

Adding a Mend Build Task to Your Pipeline

After completing the relevant settings, all is set for adding a Mend build task to the pipeline. Do as follows:

1. Go to the relevant Azure DevOps project for which you want Mend to run

2. Inside your Azure DevOps project, from the sidebar, click Pipelines. The Pipelines page is displayed

3. Click the relevant pipeline. The specific pipeline page is displayed

4. Click Edit. Do one of the following procedures:

   • Adding a Build Task to a YAML Pipeline

   • Adding a Build Task to a Classic Pipeline

This activates the Mend integration on your build pipeline

NOTE: Adding a pre-step build task is not necessary in order for Mend to successfully scan the build repository. Mend by default runs a pre-step command as part of the Mend task.

Adding a Build Task to a YAML Pipeline

1. In the pipeline edit page, from the right side, click Show assistant. The Tasks sidebar is displayed.

2. In the search bar, enter Mend. The Mend task is displayed

3. Click the Mend task

4. From the bottom right corner, click Add. The Mend task is added to the pipeline

   CODE

   - task: WhiteSource@21

5. (Optional) To specify the name of the Mend project to be created, add the following to the Mend task. In the following example, replace New_Project_Name with the name you want to give your Mend project:
   NOTE: When the Map Azure DevOps Pipelines to Mend Projects checkbox from the Organization Settings → Extensions → Mend is selected, you will be unable to change the project name after the first build run.

   CODE

   - task: WhiteSource@21
     inputs:
       cwd: '$(System.DefaultWorkingDirectory)'
       projectName: 'New_Project_Name'

6. (Optional) To specify custom Unified Agent Configuration parameters, add all parameters in the Mend Configuration field (ensure each parameter along with its value are provided on a separate line).
   In the following example, under configuration, provide all relevant parameters
   NOTE: The parameters used here overwrite the default configuration parameters. Configuration parameters that were not provided will use the default values as described here.
   

   CODE

   - task: WhiteSource@21
     inputs:
       cwd: '$(System.DefaultWorkingDirectory)'
       configuration: |
        npm.resolveDependencies=true
        maven.resolveDependencies=true

7. Click Save & queue

NOTE: The Mend task can be moved to other locations within the steps section, depending on your preferences.

Adding a Build Task to a Classic Pipeline

1. To add a task to the Agent Job, click the plus (“+”) sign next to the agent job section. The Add Tasks section is displayed

2. In the search bar, enter Mend. The Mend task is displayed

3. Click the Mend tab, and then click Add. The Mend task is added to the pipeline

4. (Optional) To specify the name of the Mend project to be created, enter the name in the Project name field
   NOTE: When the Map Azure DevOps Pipelines to Mend Projects checkbox from Organization Settings → Extensions → Mend is selected, you will be unable to change the project name after the first build run.

5. (Optional) To specify custom Unified Agent Configuration parameters, add all parameters in the Mend Configuration field (ensure each parameter name along with its value is provided on a separate line)
   NOTE: The parameters used here overwrite the default configuration parameters. Configuration parameters that were not provided will use the default values as described here.

6. Click Save & queue

NOTE: The Mend task can be moved to other locations within the steps section, depending on your preferences.

Excluded Parameters for the Azure Extension

The following parameters are not allowed for inclusion in the Azure Extension for the YAML or Classic pipeline:

apiKey
userKey
wss.url
projectToken
productName
productVersion
projectVersion
productToken
scanComment
offline
generateScanReport
scanReportTimeoutMinutes
generateProjectDetailsJson
scm.*
serverless.*
docker.*
hex.aggregate
sbt.aggregate
maven.aggregate
gradle.aggregate
ocaml.aggregate
projectPerFolder

Configuring Scan Settings for Your Pipeline

Note: When using the Azure DevOps pipelines integration and setting resolveAllDependencies=false, the dependency resolution is not disabled. The user must disable each resolver separately (for example, maven.resolveDependencies=false and gradle.resolveDependencies=false , etc.) to achieve the resolveAllDependencies=false functionality.

The default scan settings for the Azure DevOps Pipelines integration are described in the Unified Agent Configuration Parameters for Native Integrations except for the following parameters:

Includes/Excludes Glob Patterns

• excludes=**/*sources.jar **/*javadoc.jar **/tests/**

Viewing the Mend Report

The Mend report comprises of four tabs: Inventory, Outdated Libraries, Security Vulnerabilities, and License Risks. You can view the Mend report by following these steps:

1. Ensure that you followed the procedures in Activating the Extension and Adding a Mend Build Task to Your Pipeline.

2. Go to the specific build’s results page for your project, and click the Mend tab. The Mend open-source Risk Report is displayed.

Understanding the Report

Security Summary

A summary of detected open-source vulnerabilities and the libraries that contain them.

Inventory Tab

An inventory of all the detected open-source libraries.

Outdated Libraries

Libraries that have not been updated to their newest available versions.

Security Vulnerabilities

A table listing all security vulnerabilities.

License Risks

The License Risk Table displays a summary of open-source components’ license types and their associated risk including the number of occurrences.

Additionally, the following charts are displayed:

• The License Distribution chart displays the distribution of licenses across the inventory.

• The License Risk Distribution chart breaks down the number of licenses by their risk level. Unknown risk level means the license risk was not analyzed by Mend.