Home / Managing Open-source security and license with Mend (formerly WhiteSource)

Overview

Mend (formerly WhiteSource) is the leader in continuous open source software security and compliance management. Mend integrates into your build process, irrespective of your programming languages, build tools, or development environments. It works automatically, continuously, and silently in the background, checking the security, licensing, and quality of your open source components against WhiteSource constantly-updated definitive database of open source repositories.

Mend provides Mend Bolt, a lightweight open source security and management solution developed specifically for integration with Azure DevOps and Azure DevOps Server. It works per project and does not offer real-time alert capabilities like the Full platform which is generally recommended for larger development teams, wanting to automate their open source management throughout the entire software development lifecycle (from the repositories to post-deployment stages) and across all projects and products.

What’s covered in this lab

This lab shows how you can use Mend Bolt with Azure DevOps to automatically detect alerts on vulnerable open source components, outdated libraries, and license compliance issues in your code. You will be using WebGoat, a deliberately insecure web application, maintained by OWASP designed to teach web application security lessons.

Azure DevOps integration with Mend Bolt will enable you to:

  1. Detect and remedy vulnerable open source components.
  2. Generate comprehensive open source inventory reports per project or build.
  3. Enforce open source license compliance, including dependencies’ licenses.
  4. Identify outdated open source libraries with recommendations to update.

Before you begin

  1. Refer the Getting Started page before you follow the exercises.

  2. Use Azure DevOps Demo Generator to provision the WhiteSource project on your Azure DevOps Organization.

Exercise 1: Activate Mend Bolt

Prerequisites to integrate Azure DevOps with Mend

Ensure the following:

  1. Your Azure DevOps organization is connected to an Azure AD via Organization Settings > Azure Active Directory.

    ADO-ADConnect

  2. In your Azure DevOps navigate to Organization Settings and select Mend under Extensions. Provide your Work Email, Company Name and other details and click Create Account button to start using the Free version.

    Mendboltactivation

Exercise 2: Trigger a build

You have a Java code provisioned by the Azure DevOps demo generator. You will use Mend Bolt extension to check the vulnerable components present in this code.

  1. Go to Pipelines section under Pipelines tab, select the build definition WhiteSourceBolt and click on Run pipeline to trigger a build. Click Run (leave defaults).

    build-def

  2. To view the build in progress status, click on job named Phase 1.

    inprogress_build

    queue-build

  3. While the build is in progress, let’s explore the build definition. The tasks that are used in the build definition are listed in the table below.

    Tasks Usage
    npm npm Installs and publishes npm packages required for the build
    maven Maven builds Java code with the provided pom xml file
    whitesourceboltMend Bolt scans the code in the provided working directory/root directory to detect security vulnerabilities, problematic open source licenses
    copy-files Copy Files copies the resulting JAR files from the source to the destination folder using match patterns
    publish-build-artifacts Publish Build Artifacts publishes the artifacts produced by the build
  4. Once the build is completed, click back navigation to see the summary which shows Test results, Build artifacts etc. as shown below.

    go back build_summary

  5. Navigate to WhiteSource Bolt Build Report tab and wait for the report generation of the completed build to see the vulnerability report. This report shows the list of all vulnerable open source components with Vulnerability Score, Vulnerable Libraries, Severity Distribution

    report

Exercise 3: Analyze Reports

Mend bolt automatically detects OpenSource components in the software including transitive dependencies and their respective licenses.

Security Vulnerabilities

The security vulnerability section shows vulnerabilty, name of the library, description and Top Fix

Security

License risks

You can see the opensource license distribution and a detailed view of all components and links to their metadata and licensed references.

LicenceRisks

Summary

With Azure DevOps and Mend Bolt integration, you can shift-left your open source management. The integration allows you to have alerts in real time, on vulnerabilities and other issues to help you take immediate action.