Legal Compliance in Mend Container

Overview

This article focuses on the legal aspect of your application’s container images.

It will show you how to navigate the user interface to find relevant information and how to export the results so you can analyze them further and share them with your Legal department.

Getting it done

Legal View

To get to your container images' legal view, follow the steps depicted below:

1. Choose the application you wish to focus on.

2. In the Application view, go to Security → Containers.

3. Go to the Packages tab.

4. Toggle the Legal view on.

In the Legal view, clicking the Package Name itself will spawn the Package side-panel while clicking a license listed in the Licenses column will spawn the License side-panel, both of which will be explained in the sections below.

The Package Side-Panel

The Package side-panel contains the available information about the selected package, with the top bar remaining constant regardless of the selected tab.
The top bar displays the package name, origin and engine on the left (1) and a navigation panel (2) on the right, which allows you to easily go to the next or previous packages in the view or close the side-panel:

The package information is organized in 5 tabs: Overview, Findings (default), Licenses, Copyrights, Notice.

Overview

The Overview tab displays the License Overview, which includes the following:

1. License Risk - displaying the Risk Level and Score.

2. Licenses - displaying the overall number of package licenses and their distribution by license risk level.

Findings

The Findings tab lists the findings relevant to the selected package. The following information is displayed for each finding:

1. CVE - The CVE ID

2. Severity - The CVE’s severity category (Low / Medium / High / Critical)

3. CVSS Score - The CVE’s CVSS score (representing severity).

4. EPSS Score - The CVE’s EPSS score (representing exploitability).

Licenses

Displays all the licenses of the selected package (the overall number of licenses will be denoted in brackets) and the available license information for each license, such as License name and License Risk.

Additional information about each license can be displayed or hidden using the Columns menu at the far edge of the screen.

Full list of available columns:

1. License

2. License Risk (optional)

3. License Reference (optional)

4. Assigned By (optional)

5. Comment (optional)

Copyrights

The Copyrights tab lists all the copyrights assigned to the selected package.

On the right, you have 2 buttons allowing you to assign a copyright for the selected package or revert to the original copyright recorded in the Mend.io database.

Assign Copyright

Note: Copyright changes will be applied across the entire organization.

Revert Copyrights

Note: Reverting the copyright(s) will apply across the entire organization.

Notice

Notices previously added to the selected package will be displayed here. You have the option to add a new notice by clicking the Add Notice button at the bottom:

Note: Notice changes will be applied across the entire organization.

The License Side-Panel

Clicking a license in the Legal view will spawn that license’s side-panel.

The license side-panel contains robust information about the selected license, including:

• Overview

  • License Risk - Risk category (Low / Medium / High / Critical and Score

  • Link - Link to the official license text, e.g., https://www.gnu.org/licenses/old-licenses/gpl-2.0.html

  • OSD Compliant - Denoting whether the license was reviewed and approved by the respective authority.
    

    

• Required Notices - Listing notice requirements, where applicable.

  

  Each of the following sections can be expanded to reveal additional information, namely the Explanation and License text, as shown in the example below for Copyright Restrictiveness:

• Copyright Restrictiveness

  

• Patent & Royalty Restrictiveness

• Copyleft

• Linking

• Royalty Free