Skip to main content
Skip table of contents

Creating Policies for Mend Repository License Checks

Policies are a legacy technology at Mend and should ONLY be used if utilizing License Checks inside the Mend Repository Integration. Outside of this specific use case, if you have access to the Mend Platform, Please use the Workflow Engine.

Overview

License Policy Violations through the Workflow Engine on the Mend Platform are not currently supported by the Mend Repository integration. License Policies must be set on the Legacy SCA UI and require a specific naming convention to be set up. This document will walk through setting up a simple initial policy to test License checks.

What is a Policy?

Policies are a simple set of rules that are evaluated against your application’s open source libraries after a scan to trigger alerts on specific conditions such as displaying when a restrictive license is in use within your application. These rules are evaluated in order and evaluation will stop after the first condition is met. Due to this, it is recommended to have as few policies as possible to capture your use case.

For in-depth information on the policy engine see Managing Automated Policies.

For Best Practices are policies see Best Practices for Mend SCA Policies.

Accessing the Legacy SCA Platform

The Legacy SCA platform can be accessed through the Mend Platform from any screen when logging in. Both environments exist side by side and there is no additional login needed. For instructions on accessing the Legacy SCA Platform see Navigating from the Mend Platform UI to the Legacy SCA Core Application UI.

Creating an Organization License Policy

From the Legacy SCA UI Click Policies on the top banner to access the Organizational Policies screen.

image-20240725-185314.png

On the Organizational Policies screen Click Add Policy to move to the Add Policy screen

image-20240725-185721.png

Policies have three parts: a name, a match condition, and an action. For license policy checks to work in the repository integration the following must be set:

  • Name

    • Must start with [License] in order to be detected by the repository integration

    • The rest of the name should be descriptive so developers know what caused the status check to fail

  • Match

    • Must be By License Group

  • Action

    • Set to Reject

Once those are set, click Add Licenses to pull up the Select License dialog.

image-20240725-191022.png

In the dialog, enter License name into the value field then click filter to bring up the licenses that match that name.

image-20240725-191413.png

After the search completes, select the desired licenses then click Ok.

image-20240725-191514.png

Verify the selected licenses are present in the policy then click Add in the bottom right corner to add the policy. This will NOT save your policy, saving the policy requires an additional step.

image-20240725-191653.png

This will take you back to the Organization Policy screen, Click Save to save your policy

image-20240725-191905.png

On the next scan of the repository integration, if License Checks are enabled and a package matched the policy, a failed check with the information will be displayed.

image-20240725-193331.png

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close