The Dependencies Risk Report

Overview

The Dependencies Risk Report, accessible via your Mend Platform’s main navigation, highlights critical insights into the security and maintenance of your project’s open-source libraries. It identifies vulnerable and outdated libraries, providing details on severity levels, available fixes, and license risks. The report delivers clear and actionable data to help maintain the security and compliance of your projects.

Getting it done

You can generate the report via the Reports page.

1. Click the Reports button located in the top bar of the Mend Platform user interface:

   

2. Click the Create button ( ) at the top-right edge of the Reports page.

   

3. Select Dependencies Risk from the drop-down list of the Create Report wizard:

   

4. Scope - Define the report's scope by specifying the application. You can refine the scope by selecting one or more projects within that application.

   

5. Configuration - Specify the Report Name. The Format is PDF.

   

6. Notification – Get notified by email when the report is ready by selecting the Send me an email notification when this report is ready checkbox.

7. Click Create.

   

Understanding the Dependencies Risk Report

The Dependencies Risk Report provides a detailed analysis of the open-source libraries used in your project. It highlights key information on security vulnerabilities, outdated libraries, and licensing risks.
Example of the first page of the report:

Key Sections of the Report:

1. Library Overview

   • A summary of all libraries in your project, showing direct dependencies and any indirect dependencies if applicable.

2. Vulnerabilities and Severity Levels

   • Security vulnerabilities are broken down by severity—Critical, High, Medium, and Low.

   • The aging of vulnerabilities is also displayed, such as how long they’ve been present in the codebase.

3. Outdated Libraries

   • Identifies outdated libraries by one or more versions, detailing how far behind each library is from the latest release.

4. License Risk and Compliance

   • Assesses the legal risks associated with the licenses governing your libraries and flags those that might pose compliance risks. Licenses are classified by risk level (Low, Medium, High).

5. Fix Availability

   • The report provides information on whether a fix or update is available for each detected vulnerability or outdated library.

6. Detailed Vulnerability Information

   • Lists each vulnerability with the following:

     • The CVE (Common Vulnerabilities and Exposures) ID.

     • A description of the issue.

     • The affected library version.

     • The latest stable version contains a fix.

7. Project Association

   • Each vulnerability and outdated library is linked to the specific project or repository where it was detected.