Breadcrumbs

The Container Image Due Diligence Report

Overview

The Container Image Due Diligence Report, accessible via your Mend Platform’s main navigation, assesses the compliance of software components in your container images. It evaluates each package, assigning a risk score that highlights vulnerabilities and legal risks based on licensing.

Getting it done

You can generate the report via the Reports page.

  1. Click the Reports button located in the top bar of the Mend Platform user interface:

    image-20240719-091017.png

  2. Click the Create button ( image-20240902-144937.png ) at the top-right edge of the Reports page.

    image-20240908-134803.png

  3. Select Container Image Due Diligence from the drop-down list of the Create Report wizard:

    image-20240919-132811.png

  4. Scope - Define the report's scope by specifying the application. You can refine the scope by selecting one or more projects within that application.

    image-20240919-132715.png

  5. Configuration - Specify the Report Name and Format (JSON/XML).

  6. Click Create.

    image-20240919-132619.png

Understanding the Container Image Due Diligence Report

The Container Image Due Diligence Report includes a comprehensive analysis of the open-source packages and libraries of the container.

Example of the report in table format:

| Type        | Risk Score | Package Name                   | License Reference | Copyright                     | Author                     | Homepage                | Project Name | Application Name | License Name |
|-------------|------------|--------------------------------|-------------------|-------------------------------|----------------------------|--------------------------|--------------|-----------------|--------------|
| Open Source | 78         | debian-archive-keyring-2023.3  | N/A               | N/A                           | N/A                        | N/A                      | nginx        | ECR Test Env    | GPL-3.0      |
| Open Source | 0          | perl-base-5.36.0-7             | N/A               | N/A                           | N/A                        | N/A                      | nginx        | ECR Test Env    | Artistic     |
| Open Source | 39         | libsmartcols1-2.38.1-5+b1      | N/A               | N/A                           | N/A                        | N/A                      | nginx        | ECR Test Env    | BSD-3-Clause |

Example breakdown:

  • Type: Describes the type of software, typically whether it is open-source or proprietary.

  • Risk Score: The overall risk score assigned to the package, indicating the level of security or compliance risk.

  • Package Name: The name and version of the software package.

  • License Reference: A link or identifier for the specific license.

  • Copyright: The entity of individuals holding the copyright to the package.

  • Author: The creator or maintainer of the software.

  • Homepage: The official website or page for the software.

  • Project Name: The name of the project associated with the software.

  • Application Name: The name of the application using the package.

  • License: Name of the license under which the library is distributed.