The Dependencies Attribution Report

Overview

The Dependencies Attribution Report provides comprehensive compliance information on third-party software components managed in your application or project.

Getting It Done

There are 2 ways to generate an attribution report in the Mend Platform user interface:

1. Via the Reports page:

   

2. Via the Attribution page that can be accessed via the left-pane menu: Compliance → Attribution:
   Note that the left-pane menu shows up when you select the desired Application/Project.
   

   

Generate the Dependencies Attribution Report via the Reports Page

1. Click the Reports button located in the top bar of the Mend Platform user interface:

   

2. Click the Create button () located at the right edge of the Reports page.

3. Select Dependencies Attribution from the drop-down list of the Create Report wizard:

   

4. Scope - define the scope of the report by specifying the Application. You can also select the Project or projects within the application to include in the report:
   

   

   
   Note: For a scope of multiple projects, library selection can only be done via the Attribution page. For more information on that, please skip to the section about the Attribution page.
   

   

5. Configuration - specify the Report Name, Format (JSON/HTML) and Report Title:
   

   

   Use Group by to select whether to group the findings in the report by project or by library.
   Note: At this stage, you can click the [+] Advanced button for additional configuration settings.

6. Advanced
   

   

   
   a. You can add a Report Footer or Report Header for your report.
   b. You can decide how Handling missing license references is going to work: You can opt to Leave license blank or Reference generic license.
   c. Decide on the License text placement: Either in the Appendix or in the Licensing Section of the report.
   d. Reporting Scope allows you to select which columns to display in your attribution report:

   

   e. Under Extra Data, you can choose whether to Include Versions or not.

7. Notification - As with any report, you are given the option to get notified by email when the report is ready, by checking the Send me an email notification when this report is ready option.

8. Click Create

   

Generate the Dependencies Attribution Report via the Attribution Page

Navigate to the desired application or project and click ‘Attribution' on the left pane:

Preparing your Attribution Report - Filtering your Data

By default, all of the libraries in the application/project will be included in the report, however you can change this via the ‘Actions’ menu located at the right edge of the page. The ‘Actions’ menu supports bulk operations. See example below:

You can use the filter on the Library, Licenses, Copyrights, Notice and Selection columns to list libraries that meet certain criteria.
In the example below, libraries that have been previously excluded from the report will be listed alongside the included libraries:

In the next example, an additional criterion has been set, so only libraries that carry a BSD 2 or a BSD 3 license will be listed:

Note: As demonstrated above, filters from different columns can be combined to provide an advanced filtering experience. If you can’t find the libraries you were expecting to see, however, consider clearing previously set filters.

Preparing your Attribution Report - Overriding Copyrights and Notices

You can change the copyright of a library in your organization by clicking the Override Copyright button in the 'Copyrights' column:

Note: Some libraries do not have copyrights. They will be denoted by this icon: . Libraries with existing copyrights will be denoted by . You can set a custom copyright regardless.

This action will spawn the ‘Edit Copyright’ wizard. Choose ‘Custom Copyright’ to override the current copyright and fill in the required fields:

• Specify the relevant years, if applicable, by selecting Include Years

• Specify the copyright's Author

• Specify the copyright's Organization (mandatory)

• Add any relevant Additional Comments.

Note: The change will take effect at the organization level! Click ‘Update’ to confirm the change.

You can repeat this process for notices as well:

Note: The change will take effect at the organization level! Click ‘Update’ to confirm the change.

Note: Some libraries might not have notices. They will be denoted by this icon: . Libraries with existing notices will be denoted by . You can set a new notice regardless.

Reverting Copyrights

Once a library’s original copyright is overridden, a ‘Revert To Default’ button gets added to that library’s Edit Copyright wizard. Click it to go back to the original copyright provided by Mend.io.

Click ‘OK’ to confirm your selection to revert to the original copyright:

Every change performed by the user, be it an override or a reversion, will be accompanied by an Information Saved message at the bottom left corner of the screen, once successful:

Creating your Attribution Report

When you are done preparing your attribution report, click the ‘Create Report’ button () at the far edge of the page. This action will spawn the ‘Create Report’ wizard, so you can repeat the steps mentioned here, starting at step 5.

NOTE: The Create Report wizard, if spawned from the Attribution page, will contain an Included Libraries section (based on the previously set filters) which is not relevant when spawned from the Reports page.