Mend Support for Third-Party Commercial and Proprietary Components

Overview

On top of identifying open-source components, Mend.io supports detection, reporting automated workflows, and policy enforcement on third-party commercial and proprietary components. Proprietary software is defined as software distributed under a licensing agreement to authorized users with private modification, copying, and redistribution restrictions. Only the original authors of a proprietary software can access, copy, and alter that software. An end-user is not actually purchasing software, but purchasing the right to use the software.

This support includes component detection for generating SBOMs and compliance information (proprietary licenses, copyrights, and notices).

Component Detection

Mend.io detects third-party commercial and proprietary components using the component’s SHA-1 signature. The SHA-1 signature is extremely sensitive, leading to a detection method with no false positives.

License Detection

Mend.io categorizes each license into Open Source, Commercial or Proprietary, with support for hundreds of different open and proprietary license types. The Due Diligence report allows users to generate a list of components by license type and distinguish between open-source and non-open-source licenses, along with viewing additional compliance-related metadata.