Mend Platform Activation FAQ
The below video shows key differences between the Mend Legacy UI and the Mend Platform
Root Library Security view / OSS Tree License view
Exportable data in all views instead of reports
Labeling for diverse dashboard views
Enhanced SAST training and remediation
Scan History
Is any data migrated when access is provided to the Mend Platform?
SCA
There is no need for migration of data. Once the platform is enabled the customer can expect to have data in the Legacy UI and Mend Platform immediately. There is no downtime involved or effect on a customer's operations.
SAST
It is not recommended to migrate data unless suppressions are heavily used and all generation two engines have been enabled. Please reach out to your Customer Success Manager for a migration discussion.
Container
There is no need for migration of data if scanning container images using the Mend CLI .
If using the Unified Agent to scan container images it is recommended to move to the Mend CLI as the results will populate in the SCA tab instead of the Container tab and the CLI has enhanced accuracy.
Will API 2.0 and API 1.4 work with the Mend Platform?
Yes. API 2.0 and 1.4 will be fully functional with the Mend Platform for SCA results. API 3.0 is recommended when retrieving Container and SAST findings.
Is the Mend Platform available for Dedicated Instances?
The Mend Platform is only available for shared instances but will be available later in 2024 for dedicated instances.
What is the difference between labels and tags?
Tags are key-value pairs that are used to classify data for projects/applications. Tags can be applied manually in the Mend Legacy UI, Mend Platform UI, from the Unified Agent, or from API 1.4.
For example, a project could be tagged with the tag “repo-url” and a value of “https://github.com/myorg/myrepo” to indicate the source code of the project that was scanned.
Labels should be used to filter projects/applications and are applied manually in the Mend Platform, via the workflow engine, from the Mend CLI, or using API 3.0.
This project could also have a label with the value of “business-unit-a” so that the overall risk status of business-unit-a projects is easily visible in the Mend Platform dashboard views.
Customers should not try to migrate from tags to labels as they serve different functions.
Will my policies be migrated or viewable within the Mend Platform?
No. The Mend Platform uses a workflow engine to create violations or take other actions depending on the trigger type. The Platform has out-of-the-box workflows (coming soon) that would replace the majority of “reject” policies that may have been configured in the Legacy UI. The mapping table below shows which out-of-box(OOB) workflows are recommended to replace policies.
All reject replacement workflow can be modified with additions or used as-is to create a violation in the new Policy Violation Dashboard(coming soon)
Legacy UI Policy | Mend Platform OOB Workflow (Coming Soon) | OOB Workflow Description |
|---|---|---|
Reject - by License Group | Reject CopyLeft Licenses | Commonly rejected copyleft licenses. |
Reject - by Security Vulnerability or Score | Critical and High Reachable CVEs | CVSS Score 7+ Security Vulnerabilities with Reachability Status of True or Unknown |
Not available | Critical and High Supply Chain Vulnerabilities | CVSS Score 7+ Supply Chain Vulnerabilities (MSCs) |
Not available | Critical and High CVEs with EPSS >36 | CVSS Score 7+ Security Vulnerabilities with EPSS Score of >36 |
Reject - by Glob Pattern | Coming in 2024 | |
Reassign | Not planned for 2024 | |
Conditions | Not planned for 2024 | |
Issue | N/A | Can be added to any workflow as an action |
Approve | N/A | Use “Not In” to exclude applications/projects from a workflow |