Legal Compliance in Mend Container
Overview
This article focuses on the legal aspect of your application’s container images.
It will show you how to navigate the user interface to find relevant information and how to export the results so you can analyze them further and share them with your Legal department.
Getting it done
Legal View
To get to your container images' legal view, follow the steps depicted below:
Choose the application you wish to focus on.
In the Application view, go to Security → Containers.
Go to the Packages tab.
Toggle the Legal view on.

In the Legal view, clicking the Package Name itself will spawn the Package side-panel while clicking a license listed in the Licenses column will spawn the License side-panel, both of which will be explained in the sections below.
The Package Side-Panel
The Package side-panel contains the available information about the selected package, with the top bar remaining constant regardless of the selected tab.
The top bar displays the package name, origin and engine on the left (1) and a navigation panel (2) on the right, which allows you to easily go to the next or previous packages in the view or close the side-panel:

The package information is organized in 5 tabs: Overview, Findings (default), Licenses, Copyrights, Notice.
Overview
The Overview tab displays the License Overview, which includes the following:
License Risk - displaying the Risk Level and Score.
Licenses - displaying the overall number of package licenses and their distribution by license risk level.

Findings
The Findings tab lists the findings relevant to the selected package. The following information is displayed for each finding:
CVE - The CVE ID
Severity - The CVE’s severity category (Low / Medium / High / Critical)
CVSS Score - The CVE’s CVSS score (representing severity).
EPSS Score - The CVE’s EPSS score (representing exploitability).

Licenses
Displays all the licenses of the selected package (the overall number of licenses will be denoted in brackets) and the available license information for each license, such as License name and License Risk.

Additional information about each license can be displayed or hidden using the Columns menu at the far edge of the screen.

Full list of available columns:
License
License Risk (optional)
License Reference (optional)
Assigned By (optional)
Comment (optional)
Copyrights
The Copyrights tab lists all the copyrights assigned to the selected package.
On the right, you have 2 buttons allowing you to assign a copyright for the selected package or revert to the original copyright recorded in the Mend.io database.

Assign Copyright
Note: Copyright changes will be applied across the entire organization.

Revert Copyrights
Note: Reverting the copyright(s) will apply across the entire organization.

Notice
Notices previously added to the selected package will be displayed here. You have the option to add a new notice by clicking the Add Notice button at the bottom:

Note: Notice changes will be applied across the entire organization.

The License Side-Panel
Clicking a license in the Legal view will spawn that license’s side-panel.

The license side-panel contains robust information about the selected license, including:

Overview
License Risk - Risk category (Low / Medium / High / Critical and Score
Link - Link to the official license text, e.g., https://www.gnu.org/licenses/old-licenses/gpl-2.0.html
OSD Compliant - Denoting whether the license was reviewed and approved by the respective authority.
Required Notices - Listing notice requirements, where applicable.
Each of the following sections can be expanded to reveal additional information, namely the Explanation and License text, as shown in the example below for Copyright Restrictiveness:
Copyright Restrictiveness
Patent & Royalty Restrictiveness
Copyleft
Linking
Royalty Free