The Dependencies Risk Report

Overview

The Dependencies Risk Report, accessible via your Mend Platform’s main navigation, highlights critical insights into the security and maintenance of your application or project’s open-source libraries. It identifies vulnerable and outdated libraries, providing details on severity levels, available fixes, and license risks. The report delivers clear and actionable data to help maintain the security and compliance of your applications.

Getting it done

You can generate the report via the Reports page.

1. Click the Reports button located in the top bar of the Mend Platform user interface:

   

2. Click the Create button ( ) at the top-right edge of the Reports page.

   

3. Select Dependencies Risk from the drop-down list of the Create Report wizard:

   

4. Scope - Define the report's scope by specifying the application. You can refine the scope by selecting one or more projects within that application.

   

5. Configuration - Specify the Report Name. The Format is PDF.

   

6. Notification – Get notified by email when the report is ready by selecting the Send me an email notification when this report is ready checkbox.

7. Click Create.

   

8. Once the report is ready, you can download its .pdf from the main Reports page:

Understanding the Dependencies Risk Report

The Dependencies Risk Report provides a detailed analysis of the open-source libraries used in your application / project. It highlights key information on security vulnerabilities, outdated libraries, and licensing risks.
Example of the first page of the report:

Note: The first page of the report will include information about the selected scope [Organization / Application / Projects(s)], the creation date and various security and license risk related metrics.

Key Sections of the Report

• General Overview
  The General Overview section of the report provides a summary of all the libraries in your application / project.
  Project - The project within the application for which the summary is displayed.
  Libraries - Displays the overall number of dependencies in the project, the number of direct dependencies, and the number of indirect dependencies (where applicable).
  Licenses - Displays the overall number of licenses in the project alongside the risky licenses.
  Security - Displays the overall number of vulnerabilities in the project alongside the outdated libraries.
  Last Scan - Applicable for application and project-level reports only, this column displays the date of the most recent scan performed on each project.

• Security Vulnerabilities
  Security vulnerabilities are broken down by severity—Critical, High, Medium, and Low.
  The aging of vulnerabilities is also displayed, such as how long they’ve been present in the codebase.

• Outdated Libraries
  Identifies outdated libraries by one or more versions, detailing how far behind each library is from the latest release.

• License Risk and Compliance
  Assesses the legal risks associated with the licenses governing your libraries and flags those that might pose compliance risks. Licenses are classified by risk level (Low, Medium, High).

• Fix Availability
  The report provides information on whether a fix or update is available for each detected vulnerability or outdated library.

• Detailed Vulnerability Information
  Lists each vulnerability with the following:
  The CVE (Common Vulnerabilities and Exposures) ID.
  A description of the issue.
  The affected library version.
  The latest stable version contains a fix.

• Project Association
  Each vulnerability and outdated library is linked to the specific project or repository where it was detected.