Mend Support for Third-Party Commercial and Closed Source Components

Overview

On top of identifying open-source components, Mend supports detection, reporting automated workflows, and policy enforcement on third-party commercial and closed-source components. Closed source (sometimes referred to as proprietary software) is defined as software distributed under a licensing agreement to authorized users with private modification, copying, and redistribution restrictions. Only the original authors of a closed-source software can access, copy, and alter that software. An end-user is not actually purchasing software, but purchasing the right to use the software.

This support includes component detection for generating SBOMs and compliance information (closed-source licenses, copyrights, and notices).

Component Detection

Mend detects third-party commercial and closed-source components using the component’s SHA-1 signature. The SHA-1 signature is extremely sensitive, leading to a detection method with no false positives.

License Detection

Mend categorizes each license into Open Source, Commercial or Closed Source, with support for hundreds of different open and closed-source license types. The Due Diligence report allows users to generate a list of components by license type and distinguish between open-source and non-open-source licenses, along with viewing additional compliance-related metadata.