Determining Vulnerabilities - Unified Agent
Summary
While using Mend, you may want to scan Mend’s own Unified Agent to determine that the product we are providing does not have any known open source vulnerabilities that could pose a possible security risk for you and your company. Mend understands this methodology, but it's possible that the information that you receive from scanning the Unified Agent itself could be inaccurate. Below is some useful information to understand why this can be the case if you are scanning the wss-unified-agent.jar file.
Scanning the Unified Agent
The Unified Agent is released as a jar file that has dependencies. Scanning the jar file might not produce accurate information about the dependencies as the Unified Agent will not have all of the appropriate information for scanning such as project manifest files (pom.xml or settings.xml). In order to produce accurate results for a scan, you would need the project pom.xml, which Mend does not provide in our releases.
Shifting Left
Keeping you secure is the priority for Mend, for this reason we scan each Unified Agent version before it is released. This is done by relying on the Maven resolver during the build phase. This is specifically so that we can make sure that the Unified Agent does not have any known vulnerabilities upon release. This aligns with the “shifting left” concept, which Mend recommends to all developers; we scan source code as early in the Software Development Lifecycle (SDLC) as possible so that we can catch vulnerabilities sooner rather than later. Currently, our build process looks something like:
Add or change relevant code for a Unified Agent version → Scan the Mend project with the Unified Agent → Build the project → release the wss-unified-agent.jar.
Scanning the Unified Agent itself any later in the SDLC flow will cause it to produce inaccurate results.
Checking version information properly
If you still want to check version information for direct dependencies, you can do the following:
Extract the wss-unified-agent.jar file.
Locate the directories for every dependency under the META-INF/maven folder.
Each directory will have a properties.pom file where you can get the proper version of the dependency.
Create your own pom.xml file with those direct dependencies and version.
Scan the newly created pom.xml file using the Maven package manager resolution.
If you complete these steps and determine that there are vulnerabilities that you are concerned about. Please reach out to our Support team by opening a ticket and we will assist in resolving the issue.